Results 1 to 8 of 8

Thread: HardCoding

  1. #1
    Senior Member IcSilk's Avatar
    Join Date
    Aug 2001
    Posts
    296

    HardCoding

    I hope this is the right place for this question .. sometimes thats the hardest part of making a post, lol

    Anyways, in the simplest terms possible can someone explain Hard coding to me. I understand it is essentially embedding data into the source code of a program, but lets take an example that may help you help me :

    If a site admin hardcodes a password into the script of a site why wouldn't the password be in the source code? Can someone explain this to me?


    Blessings
    F
    "In most gardens they make the beds too soft - so that the flowers are always asleep" - Tiger Lily

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi there IcSilk,


    That is pretty much how I understand it. Basically you are taking a value that would normally be a variable and fixing it by embedding it in your code.

    If a site admin hardcodes a password into the script of a site why wouldn't the password be in the source code? Can someone explain this to me?
    Because it will be stored in a separate table that the program looks up. This makes sense because creating a table and a maintenance routine and authorising appropriate personnel to use it is relatively simple, and a one-off job.

    You want to change passwords periodically for security reasons, and you don't want to have to go through all the change control, recompiling and testing each time you do this

    At least I never have, although I am a notoriously lazy bugger

  3. #3
    Senior Member IcSilk's Avatar
    Join Date
    Aug 2001
    Posts
    296
    Because it will be stored in a separate table that the program looks up
    Thanks, Nihil, Im really new at this so please bear with me: So you mean its stored in a seperate HTML encoded table that is made inaccessible to the common user?

    Is there someway or someplace I can see this, I mean actually see the concept in visual format, like flow chart etc.

    Anyways, let me get right to the gist of it, I've been trying to get a better handle on the internet and figure out how things work in greater depth so Iv been using various sources: w3schools, Tizag, Antionline, HackThisSite etc.

    So my question is really an attempt to understand the concept behind Basic Challenge #4 at HTS. Which states:
    This time Sam hardcoded the password into the script. However, the password is long and complex, and Sam is often forgetful. So he wrote a script that would email his password to him automatically in case he forgot.
    The solution is cloning the page onto your computer, changing the 'mailto' to your own email and hit the 'send password' button. Can someone give me a bit of a breakdown, paying attention to the reason for this post in the first place - the concept of hardcoding.

    thanx and blessings
    Last edited by IcSilk; August 2nd, 2011 at 07:44 PM.
    "In most gardens they make the beds too soft - so that the flowers are always asleep" - Tiger Lily

  4. #4
    Senior Member
    Join Date
    Apr 2005
    Location
    USA
    Posts
    422
    In this example the password is 'hardcoded' in the file because it is not something that the user has access to in a textbox. The password is located in the actual code of the html instead of asking the user for one. You shouldn't have to actually send the password to your email if you read through the code thoroughly enough. It should be within the subject or body of the data being sent in the html form that is going to be emailed.

  5. #5
    Senior Member IcSilk's Avatar
    Join Date
    Aug 2001
    Posts
    296
    In this example the password is 'hardcoded' in the file because it is not something that the user has access to in a textbox. The password is located in the actual code of the html instead of asking the user for one. You shouldn't have to actually send the password to your email if you read through the code thoroughly enough. It should be within the subject or body of the data being sent in the html form that is going to be emailed.
    I didn't find it, and since that was the case with an earlier challenge, I don't think its that way here. but I added the source code for your perusing pleasure if it'll help

    Thanks
    Blessings
    F
    Attached Files Attached Files
    "In most gardens they make the beds too soft - so that the flowers are always asleep" - Tiger Lily

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I am sorry IcSilk, but my response was based on using WANs and Citrix Metaserver in particular. I don't know HTML

    I worked on the outskirts of London and had a project that involved our two sites in Edinburgh, Scotland. I needed to access the test ERP system in Scotland as well as our own local version.

    Locally, I would log onto our LAN and bring up the Citrix menu. It would ask me for userid and password and then take me to the application I selected from its menu, in this case the ERP suite.

    I could also select the ERP suite in Scotland and was served a similar menu without having to log on to the Scottish system. When I was actually onsite in Scotland I had to enter ID and password, just like in London. As the two were different, this told me that there was a hardcoded "master" ID and password that worked between the two sites' Citrix.

    The further details you provided tell me that Sam has to enter a password, and that he has a mechanism to retrieve it if he forgets it. That's just like AO and a load of other sites...... you hit the "forgot password" button and it e-mails it to you, based on your user ID.

    Obviously you have to keep thousands of passwords in a separate table as you couldn't hardcode them all. That is why I consider it to be the "normal" way of doing things, apart from allowing easy maintenance and better security.

    At the same site I was once sent an application by a sister site for evaluation. The guy rang me up and said "sorry, you will need the password". I replied "It's 'lager1666'............can't you guys spell Kronenbourg?" I think he was rather impressed, but that one was hardcoded just like metguru describes.

  7. #7
    Senior Member
    Join Date
    Apr 2005
    Location
    USA
    Posts
    422
    I skimmed through the html and it seems that you're right. The password is not in the html, which means you will actually have to modify the file and download it to use the form with your email address instead.

    The password is hard coded, but it is in the php code, which is not available at the client side.This means that the password is in plaintext on the server, but is only accessed through the form post of "to" with an email to send to. In this case the information is still accessible at the client side through changing the email in the form in the html code.

  8. #8
    Senior Member IcSilk's Avatar
    Join Date
    Aug 2001
    Posts
    296
    I am sorry IcSilk, but my response was based on using WANs and Citrix Metaserver in particular. I don't know HTML
    Lmao, in an ironic twist it was your misunderstanding that kinda help put things into perspective for me, Nihil. Thank you man.

    And thanx to Metguru, you both helped me understand this simple concept better. I was confused because when I looked at the source I did not see the password hardcoded anywhere and why would you have to clone the site and go through the other steps if it were. Because of my low level sophistication I did not even think about server side scripts.

    So thanks to you both, not only did I learn something but I think my perspective has slightly broadened and matured too


    Blessings
    F
    "In most gardens they make the beds too soft - so that the flowers are always asleep" - Tiger Lily

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •