Page 2 of 2
Posted: Sat Jun 30, 2007 6:11 pm
by itsalmostreal
could i get an example of how i should encrypt the password in my session handling section?
and i see where youre going now, you're asking what happens if POST or GET is multidimensional. while i dont plan on that, how would you recommend i deal with it?
Posted: Sat Jun 30, 2007 6:14 pm
by Benjamin
Code: Select all
function stripslashes_deep($x)
{
return (is_array($x)) ? array_map('stripslashes_deep', $x) : stripslashes($x);
}
Posted: Sat Jun 30, 2007 6:29 pm
by superdezign
itsalmostreal wrote:could i get an example of how i should encrypt the password in my session handling section?
Code: Select all
$password = sha1($_POST['password']);
Your passwords should be encrypted in the database as well.
I suggest you use
SHA256 encryption.
Posted: Sat Jun 30, 2007 9:59 pm
by feyd
make_safe() is checking a constant..
Posted: Sun Jul 01, 2007 2:10 pm
by Benjamin
I don't see anything glaringly insecure, but that doesn't mean it is 100% secure, depending on the context and code that it is used with.
@feyd, are you sure it's checking a constant? I don't see it.
Posted: Sun Jul 01, 2007 2:27 pm
by feyd
astions wrote:@feyd, are you sure it's checking a constant? I don't see it.
Yes. Look closely at the if statement.
Posted: Sun Jul 01, 2007 2:29 pm
by Benjamin
Ha good catch. Someone needs to turn their error reporting up a few notches.
Posted: Sun Jul 01, 2007 5:06 pm
by superdezign
feyd wrote:astions wrote:@feyd, are you sure it's checking a constant? I don't see it.
Yes. Look closely at the if statement.
*Gasp* I missed that. It's all GeSHi's fault for making it look okay!

Posted: Sun Jul 01, 2007 6:49 pm
by Ollie Saunders
Regarding slashes you should remove all the slashes from your superglobals to start with, one of the first things always executed. There are a couple of good functions for doing this in the notes for get_magic_quotes_gpc(). Alternatively you could use an .htaccess (doesn't work if PHP is running as a CGI) to turn off magic quotes from the outset
and then die in your app very early if the configuration isn't as expected
Code: Select all
get_magic_quotes_gpc() and die('Ahhh magic quotes! Get them off me!');
. From then on you know everything is free of magic quotes and you can use mysql_real_escape_string(), which is much more secure than addslashes() for preventing mysql injection vulnerabilities.
I would revise the name make_safe it doesn't describe very accurately what it is doing. There are many ways of making data safe depending on the destination. Also this...
Code: Select all
function make_safe($variable) {
if (get_magic_quotes_gpc) {
$variable = stripslashes($variable);
$variable = trim($variable);
$variable = htmlentities($variable, ENT_QUOTES);
} else {
$variable = trim($variable);
$variable = htmlentities($variable, ENT_QUOTES);
}
return $variable;
}
can be written as this...
Code: Select all
function make_safe($variable) {
if (get_magic_quotes_gpc()) {
$variable = stripslashes($variable);
}
return htmlentities(trim($variable), ENT_QUOTES);
}
@superdezign, a hashed and salted password is much better than an encrypted one.
Posted: Sun Jul 01, 2007 7:03 pm
by superdezign
ole wrote:@superdezign, a hashed and salted password is much better than an encrypted one.
That is sooo something I want a resource on that isn't as long as one of Mordred's threads. This isn't the place to ask, but I've gotta know! ^_^
Posted: Sun Jul 01, 2007 8:23 pm
by feyd
superdezign wrote:That is sooo something I want a resource on that isn't as long as one of Mordred's threads. This isn't the place to ask, but I've gotta know! ^_^
viewtopic.php?t=39096&highlight=sha256+sha1+md5+salt may be of interest.