Re: [PHP-DB] Re: Beginners Problem
Andy,
Thanks for your comment. What I posted is only part of my code though,
as the entire thing is a bit long, and with all the includes rather hard
to follow unless I posted the whole file set. Above the piece I posted I
have code to do slashing, and some MD5 hashing, as well enforcing string
lengths. So the $password I use in the query is actually MD5 hashed
already. I know I need to improve the security though, as my current
code do not counter for every possible attack, so your input is much
appreciated.
[EMAIL PROTECTED] wrote:
Could I recommend a more secure approach:
1) using two hashes to protect the data (in case the database is
compromised they are both one-way hashes, and using two protects
against collision attacks whereby a different password string
generates the same hash as the original password)
2) escaping user input to protect against SQL injection attacks (nasty
queries can get more data from the database than your original query
intended, or change the query's intended functionality).
Instead of:
$chkuserquery = "SELECT userID
FROM $TB_USERS
WHERE `loginID`='$loginID' AND `password`='$password'
LIMIT 1";
$chkuser = $db->query($chkuserquery);
This example utilises the mdb2 database layer:
$user_credentials = array( //these are the credentials the user supplied
'user_name' => addslashes($username), //escape username input
'user_password_md5' => md5($password), //generate hash, no
injection is posisble
'user_password_sha1' => sha1($password) //due to 'scrambling' of string
);
foreach ($user_credentials as $k => $v) {//build string
$query_values .= $k . '=' . $db->quote(trim($v)) . ' AND ';
}
$query_values = '(' . substr($query_values, 0, -5) . ')'; //format
string and remove AND
$sql = "SELECT COUNT(user_id) AS user_count FROM user WHERE $query_values";
$result = $db->query($sql);
//this if not only returns a row from the database query, it then
checks if the user_count
//field contains more than one or more results. if so, login is correct
if (($row = $result->fetchRow(MDB2_FETCHMODE_ASSOC)) && $row['user_count']){
$valid_login = true;
//session -> database etc
}
for this example, using 'root' and 'password', $query_values is:
(user_name='root' AND
user_password_md5='5f4dcc3b5aa765d61d8327deb882cf99' AND
user_password_sha1='5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8')
This code is identical in functionality to the previous example,
except the query has no LIMIT - this is not required as it prevents
the possibility of coding error handling for multiple accounts
(perhaps unnecessary, excepting very secure applications).
Andy
--
Rene Brehmer
aka Metalbunny
We have nothing to fear from free speech and free information on the
Internet but pop-up advertising!
http://metalbunny.net/
References, tools, and other useful stuff...
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Insecure Hashes (was Re: Beginners Problem)
Whilst reviewing my penetration testing I have noticed that both the md5 and sha1 hashing algorithms are now considered less secure than previously thought. Migration to sha256 is encouraged: http://www.owasp.org/index.php/Cryptography#Algorithm_Selection Then I found the comment below from: http://uk3.php.net/manual/en/function.md5.php http://md5.rednoize.com offers a service to reverse engineer md5 hashes. Very useful if you got a md5 hash and need the plain text string of this md5 hash. The website has currently over 47 million hashes stored. It also has support for SHA-1 hashes. Consequently I shall be updating my authentication class. Andy -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Insecure Hashes (was Re: Beginners Problem)
It's true md5 is very old but is not completely obsolete. Used in combination with a random salt is still hard to decode. Maybe i won't use it as encryption for passwords any more but I would use it for digital signature or data integrity check. [EMAIL PROTECTED] wrote: Whilst reviewing my penetration testing I have noticed that both the md5 and sha1 hashing algorithms are now considered less secure than previously thought. Migration to sha256 is encouraged: http://www.owasp.org/index.php/Cryptography#Algorithm_Selection Then I found the comment below from: http://uk3.php.net/manual/en/function.md5.php http://md5.rednoize.com offers a service to reverse engineer md5 hashes. Very useful if you got a md5 hash and need the plain text string of this md5 hash. The website has currently over 47 million hashes stored. It also has support for SHA-1 hashes. Consequently I shall be updating my authentication class. Andy -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Insecure Hashes (was Re: Beginners Problem)
Well, if you're interested in some greater level of security where you can decrypt, you might want to check out rijndael encryption (a type of AES). Shane Kretzmann wrote a good rijndael php class that I think is still on phpclasses. It can be a bit difficult working with binary passwords, but if you really need security, it seems like one of the better options. I've been testing it myself, and the only issue I see is, of course: keeping the key secret. I've been looking at a few methods, but I'm always interested in others ideas on that issue. Regards, J. Hill Cristian Vrabie wrote: It's true md5 is very old but is not completely obsolete. Used in combination with a random salt is still hard to decode. Maybe i won't use it as encryption for passwords any more but I would use it for digital signature or data integrity check. [EMAIL PROTECTED] wrote: Whilst reviewing my penetration testing I have noticed that both the md5 and sha1 hashing algorithms are now considered less secure than previously thought. Migration to sha256 is encouraged: http://www.owasp.org/index.php/Cryptography#Algorithm_Selection Then I found the comment below from: http://uk3.php.net/manual/en/function.md5.php http://md5.rednoize.com offers a service to reverse engineer md5 hashes. Very useful if you got a md5 hash and need the plain text string of this md5 hash. The website has currently over 47 million hashes stored. It also has support for SHA-1 hashes. Consequently I shall be updating my authentication class. Andy -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
