Today's Posts Follow Us On Twitter! TFL Members on Twitter  
Forum search: Advanced Search  
Navigation
Marketplace
  Members Login:
Lost password?
  Forum Statistics:
Forum Members: 24,256
Total Threads: 81,169
Total Posts: 566,838
There are 36 users currently browsing (tf).
 
  Our Partners:
 
  TalkFreelance     Business and Website Management     Articles From The Experts :

Making secure php programs

Thread title: Making secure php programs
Closed Thread  
Page 3 of 3 < 1 2 3
    Thread tools Search this thread Display Modes  
02-02-2008, 08:54 PM
#21
Wildhoney is offline Wildhoney
Wildhoney's Avatar
Status: Request a custom title
Join date: Feb 2006
Location: Nottingham
Expertise:
Software:
 
Posts: 1,648
iTrader: 18 / 95%
 

Wildhoney is on a distinguished road

Send a message via AIM to Wildhoney Send a message via MSN to Wildhoney Send a message via Yahoo to Wildhoney

  Old

Originally Posted by RaZoR^ View Post
In terms of cookies, I've always gone along the lines of storing the user's sessionID. Although the principle of hashing the data still applies.

Another great tip for hashing is to create a custom encryption method and encrypt the data to be stored in the database, and decrypt it when you retrieve the data. This is good because if a cracker got into the database using any method, they would find it a bit more difficult to crack because they wouldn't know what the password hashes were made up of. It immediately makes dictionary attacks more difficult, and if you make a good encryption which increases the length of the plaintext before it's hashed, you can slow down brute-force attacks a lot as well. Most of the time, it will keep all your users safe, but even just a weak encryption might keep your users safe whilst you restore a database backup, secure a hole and post an announcement on the site telling people to change their passwords on your site and any other sites with the same password.

The alternative I had to that was to salt the hashes. The salt is a string that's put into every password to make the hash much harder to crack. A 1-character hash might just prevent dictionary attacks; a 5-character salt would be much more effective towards both dictionary and brute-force attacks. The salt doesn't need to go anywhere specific; in the middle is best (split the password in half, then define a new variable to hold the first half, the salt, the second half), but the salt could even just go at the start or the end ( $passwordHashed = md5($password . $salt); ). The salt can either be a fixed salt, stored in the script, or it could be randomly generated when the user creates their account and stored alongside their database record. Hard-coding it into the text file means anyone with database access still won't have it, unless they manage to crack a password and see it sticking out. Storing a random one in the database means that the cracker will find it more difficult to tailor their cracker to crack all the md5 hashes they have because all the salts will be different.

Sorry, I'll shush now lol... very good article though... a solid ground for building up knowledge of security, and covers the most important aspect, SQL injection.
http://www.talkphp.com/tips-tricks/1...-chloride.html
http://www.talkphp.com/tips-tricks/1...phy-salts.html

02-02-2008, 08:58 PM
#22
RaZoR^ is offline RaZoR^
RaZoR^'s Avatar
Status: Member
Join date: Feb 2006
Location:
Expertise:
Software:
 
Posts: 191
iTrader: 1 / 100%
 

RaZoR^ is on a distinguished road

  Old

Very good article there. Except for that very last line of PHP:


$password = sha1(md5(md5(sha1(md5(sha1(sha1('dog'))))))); // much better, hackers would be quite good to decrypt that.
That would be fairly CPU time hungry, although I think its slow execution is mentioned just after it in the article

02-03-2008, 09:16 PM
#23
Wildhoney is offline Wildhoney
Wildhoney's Avatar
Status: Request a custom title
Join date: Feb 2006
Location: Nottingham
Expertise:
Software:
 
Posts: 1,648
iTrader: 18 / 95%
 

Wildhoney is on a distinguished road

Send a message via AIM to Wildhoney Send a message via MSN to Wildhoney Send a message via Yahoo to Wildhoney

  Old

Well, if you read it, I pulled that technique apart completely. Wasn't me suggesting that, it was someone else I found suggesting it -- and I was appalled.

Closed Thread  
Page 3 of 3 < 1 2 3


Thread Tools
Display Modes

  Posting Rules  
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump:
 
  Contains New Posts Forum Contains New Posts   Contains No New Posts Forum Contains No New Posts   A Closed Forum Forum is Closed