RE: [PHP-DB] MD5, MySQL, and salts
you need the key to be easily available, so row id or a set date field(one that does not change as opposed to a timestamp type field) bastien From: "Sean Mumford" <[EMAIL PROTECTED]> To: Subject: [PHP-DB] MD5, MySQL, and salts Date: Mon, 17 Apr 2006 15:33:58 -0400 Hi Guys, I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! -Sean -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] can you use php to connect to both FileMaker and MySQL simultaneously
If you are using filemaker 8.0 you can connect using ODBC. On Apr 17, 2006, at 3:17 PM, Michael Scappa wrote: I've never done it, but assuming there is a connector for filemaker, there is no reason you shouldn't be able to. -Original Message- From: Tami Williams [mailto:[EMAIL PROTECTED] Sent: Monday, April 17, 2006 3:14 PM To: php-db@lists.php.net Subject: [PHP-DB] can you use php to connect to both FileMaker and MySQL simultaneously Thanks in advance for any help. Can you use php to connect to both FileMaker and MySQL simultaneously? Has anyone ever done it? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MD5, MySQL, and salts
True in some form, it always comes down again to the strength and integrity of the original password. Yes, even if a salt is unknown and it is a plain text, dictionary password, then it doesn't take much for a brute force attempt at just using the first two characters of each word and salting it with the word to create the hash and seeing if it matches. But just knowing the two character salt doesn't overly help in decrypting the hash. Using a custom hash particularly using part of the key itself as the hash increases the integrity and uniqueness of the hash by an exponential factor. You have two values now that are affecting the hash output value. Something to chew on... -J B This begs the question of what would this method buy you over MD5? Some people have "issue" with like passwords looking the same with MD5 encryption, also a one way hash. But if you know the salt, then like passwords would also look the same, right? -B Giff Hammar wrote: For an example, look at how UNIX/Linux stores regular login passwords. In short, the salt is the first two characters in the password. When comparing passwords, you take the salt and the user supplied password, encrypt, then compare the two encrypted strings. If they match, the recently supplied password matches the original. AFAIK, that is the only way to verify passwords encrypted with a one-way algorithm. Giff -Original Message- From: chris smith [mailto:[EMAIL PROTECTED] Sent: Monday, April 17, 2006 4:36 PM To: Sean Mumford Cc: php-db@lists.php.net Subject: Re: [PHP-DB] MD5, MySQL, and salts On 4/18/06, Sean Mumford <[EMAIL PROTECTED]> wrote: Hi Guys, I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! If it's a dynamic salt, how are you going to access it when you have to compare ? There was an article either on phpsec.org or shiflett.org which talks about this.. can't find the link right now :( -- Postgresql & php tutorials http://www.designmagick.com/ -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.1.384 / Virus Database: 268.4.2/314 - Release Date: 16/04/2006 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.384 / Virus Database: 268.4.2/314 - Release Date: 16/04/2006 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MD5, MySQL, and salts
This begs the question of what would this method buy you over MD5? Some people have "issue" with like passwords looking the same with MD5 encryption, also a one way hash. But if you know the salt, then like passwords would also look the same, right? -B Giff Hammar wrote: For an example, look at how UNIX/Linux stores regular login passwords. In short, the salt is the first two characters in the password. When comparing passwords, you take the salt and the user supplied password, encrypt, then compare the two encrypted strings. If they match, the recently supplied password matches the original. AFAIK, that is the only way to verify passwords encrypted with a one-way algorithm. Giff -Original Message- From: chris smith [mailto:[EMAIL PROTECTED] Sent: Monday, April 17, 2006 4:36 PM To: Sean Mumford Cc: php-db@lists.php.net Subject: Re: [PHP-DB] MD5, MySQL, and salts On 4/18/06, Sean Mumford <[EMAIL PROTECTED]> wrote: Hi Guys, I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! If it's a dynamic salt, how are you going to access it when you have to compare ? There was an article either on phpsec.org or shiflett.org which talks about this.. can't find the link right now :( -- Postgresql & php tutorials http://www.designmagick.com/ -- -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MD5, MySQL, and salts
For an example, look at how UNIX/Linux stores regular login passwords. In short, the salt is the first two characters in the password. When comparing passwords, you take the salt and the user supplied password, encrypt, then compare the two encrypted strings. If they match, the recently supplied password matches the original. AFAIK, that is the only way to verify passwords encrypted with a one-way algorithm. Giff -Original Message- From: chris smith [mailto:[EMAIL PROTECTED] Sent: Monday, April 17, 2006 4:36 PM To: Sean Mumford Cc: php-db@lists.php.net Subject: Re: [PHP-DB] MD5, MySQL, and salts On 4/18/06, Sean Mumford <[EMAIL PROTECTED]> wrote: > Hi Guys, > I'm working on securing user passwords in a MySQL 4 database with a > PHP5 frontend. I remember being told in one of my classes (I'm > currently a college junior) that the best way would be to hash a salt > and the password together and then store the hash in the database > instead of the plain MD5 hash. My question is, what is a good method > for the server and the database to agree on a salt value to use? I > know i could use a predefined variable, but I was wondering if > something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! If it's a dynamic salt, how are you going to access it when you have to compare ? There was an article either on phpsec.org or shiflett.org which talks about this.. can't find the link right now :( -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] MD5, MySQL, and salts
On 4/18/06, Sean Mumford <[EMAIL PROTECTED]> wrote: > Hi Guys, > I'm working on securing user passwords in a MySQL 4 database with a PHP5 > frontend. I remember being told in one of my classes (I'm currently a > college junior) that the best way would be to hash a salt and the password > together and then store the hash in the database instead of the plain MD5 > hash. My question is, what is a good method for the server and the database > to agree on a salt value to use? I know i could use a predefined variable, > but I was wondering if something dynamic might be better (timestamp, current > date, something like that). Any ideas? Thanks in advance! If it's a dynamic salt, how are you going to access it when you have to compare ? There was an article either on phpsec.org or shiflett.org which talks about this.. can't find the link right now :( -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Re: QMAIL PHP and Email sending problems?
Hello, on 04/17/2006 04:18 PM mdpeters said the following: > I have a Solaris 10 apache system with a fully functional netqmail-1.05 > installation. The system is configured to forward all email messages to > the internal mail hub for processing regardless of whether it is > internal or external mail. > > The problem is with my PHP applications. When they email an internal > user, no problems. When it is an external user, the system attempts to > deliver mail directly to the address which is not permitted through the > firewall by this web server. > > PHP = php-5.1.2 > Apache = httpd-2.0.55 > > I have tried these in the php.ini: > > ;sendmail_path > sendmail_path = /var/qmail/bin/qmail-inject > sendmail_path = /var/qmail/bin/sendmail > sendmail_path = /var/qmail/bin/sendmail -t > sendmail_path = /var/qmail/bin/sendmail -t -i > > No changes. I'm pulling my hair over this one. Any help would be > appreciated! This is not a PHP problem. You need to configure qmail control smtproutes setting . -- Regards, Manuel Lemos Metastorage - Data object relational mapping layer generator http://www.metastorage.net/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] QMAIL PHP and Email sending problems?
I have a Solaris 10 apache system with a fully functional netqmail-1.05 installation. The system is configured to forward all email messages to the internal mail hub for processing regardless of whether it is internal or external mail. The problem is with my PHP applications. When they email an internal user, no problems. When it is an external user, the system attempts to deliver mail directly to the address which is not permitted through the firewall by this web server. PHP = php-5.1.2 Apache = httpd-2.0.55 I have tried these in the php.ini: ;sendmail_path sendmail_path = /var/qmail/bin/qmail-inject sendmail_path = /var/qmail/bin/sendmail sendmail_path = /var/qmail/bin/sendmail -t sendmail_path = /var/qmail/bin/sendmail -t -i No changes. I'm pulling my hair over this one. Any help would be appreciated! -- Best regards, Michael D. Peters Director of Security Services CISSP Lazarus Alliance Inc. M: 502-767-3448 O: 502-231-8017 x8 H: 502-231-6923 F: 502-231-5347 [EMAIL PROTECTED] www.lazarusalliance.com Verify here: http://wwwkeys.us.pgp.net -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] MD5, MySQL, and salts
Hi Guys, I'm working on securing user passwords in a MySQL 4 database with a PHP5 frontend. I remember being told in one of my classes (I'm currently a college junior) that the best way would be to hash a salt and the password together and then store the hash in the database instead of the plain MD5 hash. My question is, what is a good method for the server and the database to agree on a salt value to use? I know i could use a predefined variable, but I was wondering if something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! -Sean
RE: [PHP-DB] can you use php to connect to both FileMaker and MySQL simultaneously
I've never done it, but assuming there is a connector for filemaker, there is no reason you shouldn't be able to. -Original Message- From: Tami Williams [mailto:[EMAIL PROTECTED] Sent: Monday, April 17, 2006 3:14 PM To: php-db@lists.php.net Subject: [PHP-DB] can you use php to connect to both FileMaker and MySQL simultaneously Thanks in advance for any help. Can you use php to connect to both FileMaker and MySQL simultaneously? Has anyone ever done it? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] can you use php to connect to both FileMaker and MySQL simultaneously
Thanks in advance for any help. Can you use php to connect to both FileMaker and MySQL simultaneously? Has anyone ever done it? -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
