Heya. Been a while since I wrote a login/registration script, could someone just go over this and point out anything I've missed (and yes, I'm aware the hashing algorithm won't work very far back in php versions, and that it's perhaps insanely secure to really use)? Thanks folks. <?php function HashCrypt($Value, $Hash_Algo = 'haval256,5', $Crypt_Salt = '$2a$zoId9e3MVc3p', $Hash_RawOutput = FALSE) { // Random string, with $2a$ at the start $Crypt_Value = crypt($Value, $Crypt_Salt); $Hash_Value = hash($Hash_Algo, $Crypt_Value, $Hash_RawOutput); return $Hash_Value; } echo HashCrypt('Pos1tron'); // Basic Implementation example ?> PHP:
If they didnt compile php with the HASH library this wont work. I recommend just using the raw commands such as md5, sha1 and so forth...A login system really doesn't need this much security...If they got to the database, they would most likely have your files too and just write a logger for the POST variables.
Hashing hashes doesn't increase security. At best it just increases overhead and at worst it reduces security by increasing the probability of a hash collision.