Page 2 of 2

Posted: Sat Jun 30, 2007 6:11 pm
by itsalmostreal
could i get an example of how i should encrypt the password in my session handling section?

and i see where youre going now, you're asking what happens if POST or GET is multidimensional. while i dont plan on that, how would you recommend i deal with it?

Posted: Sat Jun 30, 2007 6:14 pm
by Benjamin

Code: Select all

function stripslashes_deep($x)
{
    return (is_array($x)) ? array_map('stripslashes_deep', $x) : stripslashes($x);
}

Posted: Sat Jun 30, 2007 6:29 pm
by superdezign
itsalmostreal wrote:could i get an example of how i should encrypt the password in my session handling section?

Code: Select all

$password = sha1($_POST['password']);
Your passwords should be encrypted in the database as well.

I suggest you use SHA256 encryption.

Posted: Sat Jun 30, 2007 9:59 pm
by feyd
make_safe() is checking a constant..

Posted: Sun Jul 01, 2007 2:10 pm
by Benjamin
I don't see anything glaringly insecure, but that doesn't mean it is 100% secure, depending on the context and code that it is used with.

@feyd, are you sure it's checking a constant? I don't see it.

Posted: Sun Jul 01, 2007 2:27 pm
by feyd
astions wrote:@feyd, are you sure it's checking a constant? I don't see it.
Yes. Look closely at the if statement.

Posted: Sun Jul 01, 2007 2:29 pm
by Benjamin
Ha good catch. Someone needs to turn their error reporting up a few notches.

Posted: Sun Jul 01, 2007 5:06 pm
by superdezign
feyd wrote:
astions wrote:@feyd, are you sure it's checking a constant? I don't see it.
Yes. Look closely at the if statement.
*Gasp* I missed that. It's all GeSHi's fault for making it look okay! :P

Posted: Sun Jul 01, 2007 6:49 pm
by Ollie Saunders
Regarding slashes you should remove all the slashes from your superglobals to start with, one of the first things always executed. There are a couple of good functions for doing this in the notes for get_magic_quotes_gpc(). Alternatively you could use an .htaccess (doesn't work if PHP is running as a CGI) to turn off magic quotes from the outset

Code: Select all

php_flag magic_quotes_gpc off
and then die in your app very early if the configuration isn't as expected

Code: Select all

get_magic_quotes_gpc() and die('Ahhh magic quotes! Get them off me!');
. From then on you know everything is free of magic quotes and you can use mysql_real_escape_string(), which is much more secure than addslashes() for preventing mysql injection vulnerabilities.

I would revise the name make_safe it doesn't describe very accurately what it is doing. There are many ways of making data safe depending on the destination. Also this...

Code: Select all

function make_safe($variable) {
        if (get_magic_quotes_gpc) {
                $variable = stripslashes($variable);
                $variable = trim($variable);
                $variable = htmlentities($variable, ENT_QUOTES);
        } else {
                $variable = trim($variable);
                $variable = htmlentities($variable, ENT_QUOTES);
        }
        return $variable;
}
can be written as this...

Code: Select all

function make_safe($variable) {
        if (get_magic_quotes_gpc()) {
                $variable = stripslashes($variable);
        }
        return htmlentities(trim($variable), ENT_QUOTES);
}
@superdezign, a hashed and salted password is much better than an encrypted one.

Posted: Sun Jul 01, 2007 7:03 pm
by superdezign
ole wrote:@superdezign, a hashed and salted password is much better than an encrypted one.
That is sooo something I want a resource on that isn't as long as one of Mordred's threads. This isn't the place to ask, but I've gotta know! ^_^

Posted: Sun Jul 01, 2007 8:23 pm
by feyd
superdezign wrote:That is sooo something I want a resource on that isn't as long as one of Mordred's threads. This isn't the place to ask, but I've gotta know! ^_^
viewtopic.php?t=39096&highlight=sha256+sha1+md5+salt may be of interest.