...

View Full Version : Sha1



rafiki
03-09-2007, 02:21 AM
adding sha1 and MYSQL security,

$password = $_POST['password'];
$password = sha1($password);
// password is now encrypted?

// adding mysql security
// need a tut for it
// any1 know a decent site?


is this adding a sha1() to $password?
and how can i secure my database by striping it of any attacks, or threats?

Nightfire
03-09-2007, 02:25 AM
A start would be to use mysql_real_escape_string(). Strip out quotes, comma's, semi-colons etc out of the user has entered too.

Inigoesdr
03-09-2007, 02:29 AM
is this adding a sha1() to $password?
Yes...

and how can i secure my database by striping it of any attacks, or threats?
You really can't, especially on a shared host.

Just to clarify too, sha1 isn't encrypting the password; it generates a one-way hash of the password text. You can't directly recover the original password text, but if you had the hash you could brute-force it eventually(it's been done). The more complicated the password(case changes, numbers, other characters), the harder it would be to brute-force.

rafiki
03-09-2007, 02:33 AM
is sha1() the best way to hash a password? or should i go for md5()?

Inigoesdr
03-09-2007, 02:41 AM
Out of the two you should use sha1, but if your host has PHP5 you should be able to use hash() which can handle sha256, and sha512 among others.

rafiki
03-09-2007, 02:44 AM
im not sure which version its using, which way would you personally recommend, i can try using hash() by making a new file and adding $test = qwerty;
$test = hash($test);
echo "$test";

but is that the best option? oh and not looking to add salt

Inigoesdr
03-09-2007, 02:46 AM
echo hash('sha256', 'querty');
or

phpinfo();

rafiki
03-09-2007, 02:56 AM
Fatal error: Call to undefined function: hash() in /home/www/rafiki.freehostia.com/test.php on line 2
looks like i cant hash :(

aedrin
03-09-2007, 04:41 PM
Use prepared statements with anything that handles login queries.

Add a salt to your passwords. A salt is an additional column with for example 8 random letters+numbers. When encoding the password using sha1() or hash(), you'd do it like this:



$password = sha1("password" . $salt);


Write a class or include file that handles the login, so you can always add more security without having to modify your site.

rafiki
03-09-2007, 05:32 PM
Use prepared statements with anything that handles login queries.

Add a salt to your passwords. A salt is an additional column with for example 8 random letters+numbers. When encoding the password using sha1() or hash(), you'd do it like this:



$password = sha1("password" . $salt);
Write a class or include file that handles the login, so you can always add more security without having to modify your site.
i never written a class :( but im just tryng to "upgrade" my skills atm ill start doin more & more different things as i progress

aedrin
03-09-2007, 08:25 PM
It might be a good introduction to it then.

They can be quite useful as generic tools. Such as a login system. But it shouldn't be too hard to write one. Depending on your understanding of object oriented programming of course.

timgolding
03-10-2007, 12:48 AM
The system I use hashes it with javascript before it sends it down.

Inigoesdr
03-10-2007, 01:35 AM
What kind of hash do you do with javascript? And what happens if their browser doesn't support javascript?

timgolding
03-12-2007, 12:13 AM
It was an old md5 system I created. It required javascript to log in but since 99% of the audience were windows gamers and had XP sp2 they had javascript so didnt get any problems this time.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum