Topic: Increased Security and Code Optimization

For logins, I like how you've switched to SHA1, however you still don't use salts. Hackers have pre-generated lists of SHA1 encoded words. If you used salts, they'd have to regenerate their entire list to crack just one password.

Salt basically works on this principle:

user's password: password
user's password + salt: password51MmfJzkfL5
sha1: sha1(password51MmfJzkfL5)
password stored in DB: (sha1)51MmfJzkfL5

So when they login, the server grabs the last # chars (your salt), appends it to the submitted password, generates the SHA1, and compares.


Also, reviewing your code you do this many times:

<?php echo $var ?>

This is the shorthand version and may save some keystrokes in the future:

<?=$var ?>

This performs the exact same echo.

Re: Increased Security and Code Optimization

This is the shorthand version and may save some keystrokes in the future:

Code:

<?=$var ?>

This performs the exact same echo.

Don't do that. Ever. Cos many servers don't support short tags tongue

3 (edited by snowman 2006-02-22 19:33)

Re: Increased Security and Code Optimization

What kind of server wouldn't?

Re: Increased Security and Code Optimization

snowman wrote:

What kind of server wouldn't?

Servers without the --enable-short-tags I believe.

Re: Increased Security and Code Optimization

Well, anyone who turned short tags off. And that's a surprising lot tongue

6 (edited by Reines 2006-02-22 20:44)

Re: Increased Security and Code Optimization

elbekko wrote:

Well, anyone who turned short tags off. And that's a surprising lot tongue

short tags are off in the default httpd.conf that comes with Apache, so more like anyone who didn't turn them on tongue

The password salt suggestion isn't a bad one though.

Re: Increased Security and Code Optimization

It's not an apache setting, it's a php setting and it is on by default. Code meant for redistribution should of be written to work without it.

Re: Increased Security and Code Optimization

Nibbler(cpg) wrote:

It's not an apache setting, it's a php setting and it is on by default. Code meant for redistribution should of be written to work without it.

I'm not sure about anyplace else, but php.ini-recommended for Windows has it off by default smile

; Allow the <? tag.  Otherwise, only <?php and <script> tags are recognized.
; NOTE: Using short tags should be avoided when developing applications or
; libraries that are meant for redistribution, or deployment on PHP
; servers which are not under your control, because short tags may not
; be supported on the target server. For portable, redistributable code,
; be sure not to use short tags.
short_open_tag = Off

Re: Increased Security and Code Optimization

I was looking at php.ini-dist, which has the out-of-box default settings. php.ini-recommended contains non-standard settings.

Re: Increased Security and Code Optimization

I figured, it explained a bit about why my setup was so odd tongue

Re: Increased Security and Code Optimization

Lol, we prolly have about the same setup Smartys tongue

Re: Increased Security and Code Optimization

Salts are a good idea. It's on the todo list.

We don't use short tags because some servers might have it disabled. The number of servers is irrelevant. The fact that there are servers out there with it disabled forces us to not rely on it. Personally, I think short tags are a bad idea. For example, what happens if you create a PHP script that starts with:

<?xml version="1.0" encoding="ISO-8859-1"?>

Well, you get a parse error.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Increased Security and Code Optimization

Rickard wrote:

Personally, I think short tags are a bad idea. For example, what happens if you create a PHP script that starts with:

<?xml version="1.0" encoding="ISO-8859-1"?>

Well, you get a parse error.

Yeah, it works that way with my host, and it drives me crazy.

Looking for a certain modification for your forum? Please take a look here before posting.

14

Re: Increased Security and Code Optimization

is this salt really needed? cracker first needs to obtain hashed password  somehow, which is practically impossible without getting into db itself

[img]http://segfaultlabs.com/img/segfault.png[/img] [img]http://img403.imageshack.us/img403/5954/8051171301197130083pp0.png[/img]
"If debugging is the process of removing bugs, then programming must be the process of putting them in..."

Re: Increased Security and Code Optimization

Well, would you be comfortable with teh fact that the admin could easily crack your password by looking at the DB?

Re: Increased Security and Code Optimization

Browse hacker forums. Even experienced hackers/crackers won't even bother trying to hack a database with salted sha1 passwords.