1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Top 10 PHP Security Blunders

Discussion in 'PHP' started by salahsoftware.com, Mar 4, 2009.

0
Page 2 of 2
  1. salahsoftware.com

    salahsoftware.com Peon

    Messages:
    249
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #21
    salt? it is available in php?
     
    salahsoftware.com, Mar 9, 2009 IP
  2. SmallPotatoes

    SmallPotatoes Peon

    Messages:
    1,321
    Likes Received:
    41
    Best Answers:
    0
    Trophy Points:
    0
    #22
    Just add a couple random characters (the salt) to passwords before running them through your hash function. Store the salt in a separate field in the database and use it when verifying the password later. This will vastly reduce the risk of dictionary attacks in the event that someone gets a hold of the hashed password.
     
    SmallPotatoes, Mar 9, 2009 IP
  3. salahsoftware.com

    salahsoftware.com Peon

    Messages:
    249
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #23
    @SmallPotatoes, any example of using salt?
     
    salahsoftware.com, Mar 9, 2009 IP
  4. Gray Fox

    Gray Fox Well-Known Member

    Messages:
    196
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    130
    #24
    In config.php (just an example) put:
    $site_key = "your unique word, phrase or just some gibberish";

    So when new users registers or logs in, you access their inputed password with:
    $password = md5($_POST['password'] . $site_key);

    This is just an example, you can use your imagination :)
     
    Gray Fox, Mar 9, 2009 IP
  5. salahsoftware.com

    salahsoftware.com Peon

    Messages:
    249
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #25
    what about this:

    $password = md5($_POST['password'] . md5($site_key));
     
    salahsoftware.com, Mar 9, 2009 IP
  6. SmallPotatoes

    SmallPotatoes Peon

    Messages:
    1,321
    Likes Received:
    41
    Best Answers:
    0
    Trophy Points:
    0
    #26
    No point, and might even be less secure. Gray Fox's answer is the way to go.
     
    SmallPotatoes, Mar 9, 2009 IP
Page 2 of 2