Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 14 of 14

Thread: Sha1

  1. #1
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,046
    Thanks
    19
    Thanked 42 Times in 42 Posts

    Sha1

    adding sha1 and MYSQL security,
    PHP Code:
    $password $_POST['password'];
    $password sha1($password);
    // password is now encrypted?

    // adding mysql security
    // need a tut for it
    // any1 know a decent site? 
    is this adding a sha1() to $password?
    and how can i secure my database by striping it of any attacks, or threats?

  • #2
    Senior Coder Nightfire's Avatar
    Join Date
    Jun 2002
    Posts
    4,265
    Thanks
    6
    Thanked 48 Times in 48 Posts
    A start would be to use mysql_real_escape_string(). Strip out quotes, comma's, semi-colons etc out of the user has entered too.

  • #3
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,642
    Thanks
    2
    Thanked 405 Times in 397 Posts
    Quote Originally Posted by rafiki View Post
    is this adding a sha1() to $password?
    Yes...
    Quote Originally Posted by rafiki View Post
    and how can i secure my database by striping it of any attacks, or threats?
    You really can't, especially on a shared host.

    Just to clarify too, sha1 isn't encrypting the password; it generates a one-way hash of the password text. You can't directly recover the original password text, but if you had the hash you could brute-force it eventually(it's been done). The more complicated the password(case changes, numbers, other characters), the harder it would be to brute-force.

  • #4
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,046
    Thanks
    19
    Thanked 42 Times in 42 Posts
    is sha1() the best way to hash a password? or should i go for md5()?

  • #5
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,642
    Thanks
    2
    Thanked 405 Times in 397 Posts
    Out of the two you should use sha1, but if your host has PHP5 you should be able to use hash() which can handle sha256, and sha512 among others.

  • #6
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,046
    Thanks
    19
    Thanked 42 Times in 42 Posts
    im not sure which version its using, which way would you personally recommend, i can try using hash() by making a new file and adding $test = qwerty;
    $test = hash($test);
    echo "$test";

    but is that the best option? oh and not looking to add salt

  • #7
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,642
    Thanks
    2
    Thanked 405 Times in 397 Posts
    PHP Code:
    echo hash('sha256''querty'); 
    or
    PHP Code:
    phpinfo(); 

  • #8
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,046
    Thanks
    19
    Thanked 42 Times in 42 Posts
    Fatal error: Call to undefined function: hash() in /home/www/rafiki.freehostia.com/test.php on line 2
    looks like i cant hash

  • #9
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    Use prepared statements with anything that handles login queries.

    Add a salt to your passwords. A salt is an additional column with for example 8 random letters+numbers. When encoding the password using sha1() or hash(), you'd do it like this:

    PHP Code:
    $password sha1("password" $salt); 
    Write a class or include file that handles the login, so you can always add more security without having to modify your site.

  • #10
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,046
    Thanks
    19
    Thanked 42 Times in 42 Posts
    Quote Originally Posted by aedrin View Post
    Use prepared statements with anything that handles login queries.

    Add a salt to your passwords. A salt is an additional column with for example 8 random letters+numbers. When encoding the password using sha1() or hash(), you'd do it like this:

    PHP Code:
    $password sha1("password" $salt); 
    Write a class or include file that handles the login, so you can always add more security without having to modify your site.
    i never written a class but im just tryng to "upgrade" my skills atm ill start doin more & more different things as i progress

  • #11
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    It might be a good introduction to it then.

    They can be quite useful as generic tools. Such as a login system. But it shouldn't be too hard to write one. Depending on your understanding of object oriented programming of course.

  • #12
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    The system I use hashes it with javascript before it sends it down.
    You can not say you know how to do something, until you can teach it to someone else.

  • #13
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,642
    Thanks
    2
    Thanked 405 Times in 397 Posts
    What kind of hash do you do with javascript? And what happens if their browser doesn't support javascript?

  • #14
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    It was an old md5 system I created. It required javascript to log in but since 99% of the audience were windows gamers and had XP sp2 they had javascript so didnt get any problems this time.
    You can not say you know how to do something, until you can teach it to someone else.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •