[help]Salted md5, what's that?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
phpwalker
Forum Commoner
Posts: 81
Joined: Sun Apr 23, 2006 12:18 pm

[help]Salted md5, what's that?

Post by phpwalker »

I always see this in books and somewhere in the threads

Code: Select all

<?php

$salt = 'SHIFLETT';
$password_hash = md5($salt . md5($_POST['password'] . $salt));

?>
I don't understand the "salty" thingy. What it does actually?

Besides that, I also see this code always

Code: Select all

<?php

$clean = array();
$mysql = array();

$clean['last_name'] = "O'Reilly";
$mysql['last_name'] = mysql_real_escape_string($clean['last_name']);

$sql = "INSERT
        INTO   user (last_name)
        VALUES ('{$mysql['last_name']}')";

?>
How to use the $clean and $mysql arrays? What are they doing actually?

I can't seem to find neither the "salty" thingy nor the $clean array in php manual . Some PHP.Pros please tell me what are these. Thanks.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Re: [help]Salted md5, what's that?

Post by feyd »

phpwalker wrote:I don't understand the "salty" thingy. What it does actually?
Roughly, it adds entropy or more random data, to the message being encrypted.
http://en.wikipedia.org/wiki/Salt_%28cryptography%29
phpwalker wrote:How to use the $clean and $mysql arrays? What are they doing actually?
In the example you posted, $clean is an example array of data that needs to be cleaned. i.e. Initial data. If used as-is in the query you would receive a MySQL parse error. $mysql is the data after being passed through a cleaning, making generically safe, the data from $clean. The crucial piece of information to take from this is using mysql_real_escape_string() to help avoid SQL injection in MySQL related queries.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

In the example you posted, $clean is an example array of data that needs to be cleaned. i.e. Initial data. If used as-is in the query you would receive a MySQL parse error. $mysql is the data after being passed through a cleaning, making generically safe, the data from $clean. The crucial piece of information to take from this is using mysql_real_escape_string() to help avoid SQL injection in MySQL related queries.
$_POST contains untrusted user data which must be "cleaned", i.e. filtered and validated. For example if a username must contain only alphanumeric characters, then any data passed as username must conform to that Rule or be discarded and never used. $clean array typically holds filtered/validated data which passes such rules.

$mysql array holds "cleaned" data which has been escaped via mysql_real_escape_string(), pg_escape_string() or other database specific functions for use in any and all SQL queries. You might also come across a $html array which is identical to $mysql except this time the cleaned data has been escaped via htmlentities() for output to a browser.
phpwalker
Forum Commoner
Posts: 81
Joined: Sun Apr 23, 2006 12:18 pm

Post by phpwalker »

To feyd
Ehm, read that wiki, still a bit confuse of what a salt is.

Lemmi try, here is what I think:

Code: Select all

<?php

//salt is anything, any number, any string that I like to put
//or even a random string
$salt = 'abcdefghijklmnopqrstuvwxyz';
$salt2 = '12345435565667567';
$salt3 = 'fdaf123123ef324ef';
$salt4= rand(0,100);

$password_hash = md5($salt4.$salt2 . md5($_POST['password'] . $salt3.$salt));

?>
Is the above code correct? This will make the crackers hardly to search for the harshed code in md5() database?

For

Code: Select all

$clean = array();
Is that mean when people input data, the data store in $clean array and that makes the input become a string instead of data consisting sensitive data such as '<', '>', ' ' ', ' " ' something like that? If what I think is right, then I should use $clean array always for filtering purpose, isn't it?

Thanks again for feyd explaination!
Last edited by phpwalker on Fri Apr 28, 2006 5:56 am, edited 1 time in total.
phpwalker
Forum Commoner
Posts: 81
Joined: Sun Apr 23, 2006 12:18 pm

Post by phpwalker »

Maugrim_The_Reaper wrote: $_POST contains untrusted user data which must be "cleaned", i.e. filtered and validated. For example if a username must contain only alphanumeric characters, then any data passed as username must conform to that Rule or be discarded and never used. $clean array typically holds filtered/validated data which passes such rules.

$mysql array holds "cleaned" data which has been escaped via mysql_real_escape_string(), pg_escape_string() or other database specific functions for use in any and all SQL queries. You might also come across a $html array which is identical to $mysql except this time the cleaned data has been escaped via htmlentities() for output to a browser.
Yes, I saw $html as well using htmlentities! Ehm, is this a standard or just coding style? Or everyone's reading the same book that I'm reading? But I'm not that smart like you guys, don't understand the content all the time.

Thanks for your exlpainantion as well, Maugrim_The_Reaper.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Example.

UserA sends the username "IAmGod". UserB sends "<script>alert('xss');</script>". The second could be any javascript code, maybe evil code which redirects any user viewing this (from HTML output intended to display usernames) to another site with their cookie details buried in the query string.

Obviously, you don't want this happening - it's called an XSS (Cross Site Scripting) exploit.

The solution is to filter the data - which is originally stored in the PHP superglobal $_POST array. To filter - lets use the alphanumeric only Rule.

Code: Select all

<?php

// user data 'username' in $_POST array as $_POST['username']

$clean = array(); //initialise $clean

if(isset($_POST['username']) && !empty($_POST['username']) && ctype_alnum($_POST['username']))
{
    $clean['username'] = $_POST['username']; // add "cleaned" data to this array.
}
else
{
    // user sent us a bad username which fails our Rule (isset, not empty, must be alphanumeric chars only)
    // it could contain anything (maybe that XSS script!)
    // redirect to index page, or give user an error - stop the script even
    
    echo 'Invalid Username: Please enter a valid username.';
    exit(0);
}

?>
In case the filter fails (maybe someone on your team made an error), we additionally escape this username before it is output as html - this will replace any suspect characters into entities. For example < would become > which is not an html special character, and therefore not parsed as HTML by browsers. Net result? Even if the javascript gets through it is turned into literal text NOT parsed as html or javascript.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Ehm, is this a standard or just coding style?
Coding style - you could use $myHTML if you want. Those of us practicing OOP might even dedicate an entire class, a Request Object, for $clean, or a Response Object for HTML. They all end up doing the exact same thing however - filtering input and escaping output itself is a standard practice unless you're not interested in learning PHP properly.

Kudos for visiting the forum - you're in the good group ;). Welcome to the club.
Post Reply