making a web app - is my core file secure?
Moderator: General Moderators
-
itsalmostreal
- Forum Newbie
- Posts: 8
- Joined: Sat Jun 30, 2007 3:50 pm
Code: Select all
function stripslashes_deep($x)
{
return (is_array($x)) ? array_map('stripslashes_deep', $x) : stripslashes($x);
}- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
itsalmostreal wrote:could i get an example of how i should encrypt the password in my session handling section?
Code: Select all
$password = sha1($_POST['password']);I suggest you use SHA256 encryption.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
Regarding slashes you should remove all the slashes from your superglobals to start with, one of the first things always executed. There are a couple of good functions for doing this in the notes for get_magic_quotes_gpc(). Alternatively you could use an .htaccess (doesn't work if PHP is running as a CGI) to turn off magic quotes from the outsetand then die in your app very early if the configuration isn't as expected. From then on you know everything is free of magic quotes and you can use mysql_real_escape_string(), which is much more secure than addslashes() for preventing mysql injection vulnerabilities.
I would revise the name make_safe it doesn't describe very accurately what it is doing. There are many ways of making data safe depending on the destination. Also this...can be written as this...
@superdezign, a hashed and salted password is much better than an encrypted one.
Code: Select all
php_flag magic_quotes_gpc offCode: Select all
get_magic_quotes_gpc() and die('Ahhh magic quotes! Get them off me!');I would revise the name make_safe it doesn't describe very accurately what it is doing. There are many ways of making data safe depending on the destination. Also this...
Code: Select all
function make_safe($variable) {
if (get_magic_quotes_gpc) {
$variable = stripslashes($variable);
$variable = trim($variable);
$variable = htmlentities($variable, ENT_QUOTES);
} else {
$variable = trim($variable);
$variable = htmlentities($variable, ENT_QUOTES);
}
return $variable;
}Code: Select all
function make_safe($variable) {
if (get_magic_quotes_gpc()) {
$variable = stripslashes($variable);
}
return htmlentities(trim($variable), ENT_QUOTES);
}- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
viewtopic.php?t=39096&highlight=sha256+sha1+md5+salt may be of interest.superdezign wrote:That is sooo something I want a resource on that isn't as long as one of Mordred's threads. This isn't the place to ask, but I've gotta know! ^_^