2

I'm making a website in which I'm trying to create a form that will send the user-input to a google spreadsheet in my google docs/drive... I found a Github project that lets people code the php... It includes 2 other php files which are needed for the script. The code is as follows:

My question is, how can I hide my password from this script under $u = / $p = ?? Anyone viewing the code can see my password.. how can I prevent that?

Link to the script's source is : http://www.farinspace.com/saving-form-data-to-google-spreadsheets/

<?php // Zend library include path set_include_path(get_include_path() . PATH_SEPARATOR . "$_SERVER[DOCUMENT_ROOT]/ZendGdata-1.8.1/library"); include_once("Google_Spreadsheet.php"); $u = "[email protected]"; $p = "password"; $ss = new Google_Spreadsheet($u,$p); $ss->useSpreadsheet("My Spreadsheet"); $ss->useWorksheet("wks2"); // important: // adding a leading alpha char prevents errors, there are issues // when trying to lookup an identifier in a column where the // value starts with both alpha and numeric characters, using a // leading alpha character causes the column and its values to be // seen as a strictly a strings/text $id = "z" . md5(microtime(true)); $row = array ( "id" => $id // used for later lookups , "name" => "John Doe" , "email" => "[email protected]" , "comments" => "Hello world" ); if ($ss->addRow($row)) echo "Form data successfully stored"; else echo "Error, unable to store data"; $row = array ( "name" => "John Q Doe" ); if ($ss->updateRow($row,"id=".$id)) echo "Form data successfully updated"; else echo "Error, unable to update spreadsheet data"; ?>
Improve this question
3
  • There needs to be a user with access to your file. Therefore, your password will be readable. How about not sharing that user with anyone or sharing your server with anyone? Commented Jun 10, 2013 at 9:31
  • 1
    Why/how would/could anyone read the code? If it's supposed to be safe, don't put passwords in codes - it's that simple. Commented Jun 10, 2013 at 10:14
  • @BLaZuRE: What do you mean by access to user? The spreadsheet will be saved to 'my' google docs account, so shouldn't the account password be my own account password? Or can I create a dummy user on google docs too? Like identities on yahoo mail? Commented Jun 10, 2013 at 10:27

3 Answers 3

Reset to default
2

You can attempt to hide if from peering eyes using the code below. It would still be discoverable if you tried, but at least it's away from open text view. All it does is add characters to the text and then subtract them before it uses the password.

Run this script using your original password

<?php $password = "test"; echo "Original Password In Plain Text = $password\n"; $len=strlen($password); $NewPassword = ""; for( $i = 0; $i <= $len-1; $i++ ) { $charcode = ord(substr( $password, $i, 1 )); $NewChar = $charcode+5; $NewLetter = chr($NewChar); $NewPassword = $NewPassword . $NewLetter; } echo "Modified Password to Use in Script = $NewPassword\n"; $OrigPassword = ""; for( $i = 0; $i <= $len-1; $i++ ) { $charcode = ord(substr( $NewPassword, $i, 1 )); $OrigChar = $charcode-5; $OrigLetter = chr($OrigChar); $OrigPassword = $OrigPassword . $OrigLetter; } echo "Convert the Modified back to the Original = $OrigPassword\n"; ?>

Add this part to your script with the new password from the above script

$password = "yjxy"; $OrigPassword = ""; for( $i = 0; $i <= $len-1; $i++ ) { $charcode = ord(substr( $password, $i, 1 )); $OrigChar = $charcode-5; $OrigLetter = chr($OrigChar); $OrigPassword = $OrigPassword . $OrigLetter; } $password = $OrigPassword; echo "Script thinks this is the password = $password\n";

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks! Is there any PHP function that can encode the password string to md5 or sha too? I read somewhere online that PHP support decrypting strings to these two formats....
It looks like they did that here link but it wouldnt work for me, my php5-mcrypt didnt like me for some reason. they give tips on fixing it here link That worked, then i ran the md5 script and it worked great!
Well, I found a website online that converts string to md5 and back to string too! Here's the link
1

The best way to hide the password is to save it in external file and then include it in your php script. Your file with this password let's say 'config.php' should be above DOCUMENT_ROOT to make it unaccesible via browser. It's common aproach and for example you can see it in Zend Framework directory structure where only "public" directory is visible for user. The proper CHMOD should be set to this file as well.

Under this link you have ZF directory structure where you can check location of config files.

Improve this answer

8 Comments

so should I include it via: 'include("config.php");' command? If so, what could be the code for the 'config.php' file??
just <?php $pass ='your pass';?> When someone wants to access it from web it will be invisible to him. As I wrote the best solution is move this file above document root.
Ok! Thanks! I understood now.. also, by document root, you mean JUST AFTER ' <?php ' ??? ie, the line right after <?php should be "include("config.php");" ?
Check the directory strucutre I've given u. Let's say your aplication is shown under /user/ your page is shown under /user/public/index.php htaccess gives access to public/ and binds domain for this directory but configs are in /user/config/config.php so user can't access then via browser but your scripts can
ok. Thanks! that makes some sense, but I'll have to check that page link with ZF directory...
|
0

This question has been asked and answered lots of times here (but not specifically for Google docs). Short answer is that there is nothing you can do.

Longer answer is that you can mitigate the possibility of the credentials being compromised by:

  • using credentials supplied the user rather than stored in code
  • using tokens supplied by the user as a means of decrypting credentials stored in your code (but this gets very complicated with lots of users)
  • storing the credentials in an include file held outside the document root
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.