Sr. Web Developer
mediabistro.com
US-NY-New York

Justtechjobs.com Post A Job | Post A Resume

Comments for: tim20000505

Message # 1034072:
Date: 12/20/05 11:17
By: carburetor
Subject: RE: Security Problems + Solutions

I'd like to thank Mr. Hinch for supplying the information about encryption. I see many articles like this and a lot of them don't proclaim their function as an example clearly enough. Newbie designers like me have a tendency to be lazy unless there is a good reason not to be. Regardless that the author's intentions are certainly to be helpful, I would much rather put in the extra work to do things 'properly' than to be given a solution which would appear to be a half measure at best. If not for Hinch's comments I might only have plodded along blindly using plain old md5 without a care in the world.

After investigating Mr. Hinch's claims I was surprised to find out just how appropriate it is that he asked for a correction here. I have seen some pretty bad code in my short time as a designer, like people posting a key in a javascript which prints out as source. Even without this kind of foolishness, using PHP's md5 function to encrypt identical text strings in separate variable instances returns an identical hash value. How can this be so much better than using ROT13?!? It is still possible to isolate the key using a hash like this with surprising ease. After experimenting with encryption methods that use initialization vectors it is clear to me that this type of sytem is the only type of system worth putting the effort forward to rely upon. md5 might keep 99.9% of users at bay but all it takes is one person who knows what they are doing.

If the designer is not savvy enough to get extensions working with PHP so they can have a decent encryption method then they should probably hold off on trying to author something like an authentication script. I mention this because I have seen people posting here who are obviously not taking heed of these warnings. It goes both ways though. If you are going to provide a tutorial for someone who obviously does not know what they are doing (or they wouldn't be here in the first place) why give them something that teaches them only to be complacent?

Previous Message | Next Message


Comments:
user login phpmuzaffer05/13/08 04:09
How to upgrade this code!John MacDowall09/23/07 10:48
How to implement this!John MacDowall09/23/07 10:46
single sign-on for usersIvy08/15/07 06:01
Creating a LogIn System & Search CapabilitiesRitesh Jaiswal08/11/07 05:12
RE: Security Problems + Solutionscarburetor12/20/05 11:17
RE: Error with undefined variables/IndexRamesh Pagar10/11/05 10:41
RE: Add adress, zip code, country and date of birros07/12/05 02:03
How do I integrate this into my site?John Smith06/15/05 15:50
RE: security - cookies, sessions md5surferdude06/07/05 23:03
Passing Data / Submit to DBMike05/07/05 15:21
RE: Security Problems + SolutionsDerek Hinch03/22/05 14:01
How to do final Submit for 3 register pages xl40203/16/05 18:22
PLEASE I NEED CODESAMT02/20/05 09:45
How to create my own session in PHP?Amudhan11/30/04 00:41
RE: Secure??Derek Hinch11/13/04 00:21
RE: Secure??merouane05/15/04 22:45
Needs reworking for globals offPhilip Shaddock05/09/04 11:44
good lessonmrscript12/28/03 21:06
more secureUrban Soot11/07/03 17:55
RE: Security Problems + SolutionsLFTL07/06/03 01:51
"Uncrackable" - CorrectionTim Perdue04/25/03 21:01
Sourceforge and This Codejohnleemk04/17/03 07:56
RE: Security Problems + SolutionsDerek Hinch04/15/03 00:00
RE: IIS vulnerability for this kind of login systDerek Hinch04/14/03 23:46
Self Proclaimed Un CrackableDerek Hinch04/14/03 23:38
RE: Security Problems + SolutionsDerek Hinch04/14/03 23:36
RE: Security Problems + SolutionsMasonry02/26/03 21:46
IIS vulnerability for this kind of login systDennis Gearon02/26/03 13:29
RE: Error with undefined variables... please helpBrent02/11/03 22:38
Its not perfectRoss Clarke01/04/03 18:13
RE: Cannot add header information - headers alreahelping a bit12/27/02 07:59
RE: Security Problems + SolutionsLFTL12/23/02 01:13
RE: Security Problems + SolutionsDerek Hinch12/17/02 22:30
Security Problems + SolutionsRick Blommers10/21/02 03:04
Internet Usage AccountNITIN10/11/02 13:17
How to create a userHow to create a user10/07/02 14:13
I don't think these works any moreDamian Gibbs10/03/02 19:27
Looking for pre.phpJohnV09/30/02 20:48
Adding Credit Card to Login?JohnV09/26/02 00:29
problem with if ($submit)Andreas Frejborn09/03/02 15:31
RE: md5 is NOT secure.Sami08/23/02 22:13
Double or triple md5SinisterShade [n]ice08/11/02 10:08
more secure / timeoutben7708/01/02 12:12
md5 is NOT secure.Derek Hinch07/15/02 20:38
php script for adduser on linux system jake07/15/02 10:13
help add to pagesdwolf07/12/02 22:28
Logging in ProblemPaul Wardzynski07/10/02 04:15
security holeSebastian Bertho07/05/02 10:37
RE: You are logged in as* \ You are not logged inMichael06/30/02 10:56
PHP4 and Global Env VarsWarezMonkey06/21/02 12:39
Access LevelsRajesh06/17/02 08:53
RE: What have I done wrong???Carlos06/14/02 17:15
Combining this system with .htaccess?Torbjřrn06/11/02 14:53
Please change passwrod in changepass.phpshanda06/05/02 07:41
cookie problems?Florian05/31/02 22:28
RE: md5 cracking....might wanna update this tutorkybosh05/23/02 11:22
Include database.php?Samuel L. Diaz Munoz05/07/02 00:32
RE: Cannot add header information - headers alreaJan Lund05/04/02 13:52
SSL? Are you people crazy?Derek Hinch04/29/02 23:52
md5 cracking....might wanna update this tutorDerek Hinch04/29/02 23:47
Cannot add header information - headers alreaalex04/29/02 12:30
mail problemptitprince04/25/02 11:35
problem : setcookieptitprince04/25/02 11:34
RE: What have I done wrong???Andreas04/18/02 04:30
What have I done wrong???Andreas04/17/02 13:59
How can I search for different fields Ava04/13/02 19:22
looking for php e-mail server sourcemuffaddal04/09/02 02:49
a recomendation...Ramon Pineda Vazquez04/09/02 01:08
RE: I don't think it is very securerdo04/07/02 19:18
Creating a users directoryJames04/05/02 21:42
What do I do next?Mehul04/05/02 14:42
Password change using PHPGautam04/05/02 01:38
RE: Code Snippetred04/04/02 19:47
Using an Image?!?! I dont know!!James04/03/02 01:50
Code Snippetheyrad03/28/02 11:44
extending cookie session to apacheLewis Shobbrook03/27/02 17:26
Better authentication...md5 not neccessary.Derek Hinch03/26/02 13:08
RE: Login to a different pageTierra03/26/02 09:03
Login to a different pageCarol03/24/02 16:02
Multiple user with different rightsDenj03/19/02 23:51
Multiple location loginAdrian03/14/02 06:59
What about an admin interface?Arne03/08/02 07:24
RE: Putting users into GroupsMarc02/27/02 20:39
Putting users into GroupsKen Weide02/26/02 12:20
RE: I don't think it is very securePaul Milligan02/24/02 11:32
I don't think it is very secureDaniel02/22/02 14:00
Users that is logged in?Jonny Johansson02/20/02 15:54
RE: What Goes Into Each Page? John Hocking02/19/02 23:07
RE: Header Already Sent - setcookiegmt02/17/02 12:06
What Goes Into Each Page? Randy02/07/02 17:11
RE: E-mailing out of PHPMads Andersen02/05/02 16:19
Get User InformationRiley02/02/02 19:52
Help in setting up.Sharapov01/09/02 22:53
How to get user info for multi client loginAnant12/11/01 20:14
Authenticating using auto_prepend_file Mark Hoover12/10/01 13:39
questionsmohamad mahdi 12/09/01 14:14
RE: Header Already Sent - setcookieKen A12/08/01 13:47
RE: database.php for PostgreSQLDustin Dortch11/26/01 20:52
RE: Big Problem -- FoundDave11/26/01 09:08
Big ProblemDave11/25/01 19:19
RE: Errors with this user auth systemtoby folwick11/20/01 22:03
eeg! what about a flat file?toby folwick11/20/01 22:01
New ErrorsDave G.11/18/01 17:16
Errors with this user auth systemDan11/18/01 02:02
RE: "log in permanently" optionphpbigot11/17/01 12:09
Creating a select option Sean C11/14/01 22:40
RE: lostpass.phpSean C11/14/01 16:51
RE: lostpass.phpwilmoss11/13/01 15:16
RE: Protection Pages!!Ray11/13/01 14:44
RE: Protect your pages this way.... UNSECURE!Eric Hanuise11/12/01 16:52
RE: What now???bryan11/12/01 16:23
RE: lostpass.phpjazz11/10/01 02:20
RE: Add adress, zip code, country and date of birSean C11/07/01 19:04
lostpass.phpSean C11/06/01 20:35
RE: Add adress, zip code, country and date of birLuc11/02/01 17:43
RE: Add adress, zip code, country and date of birSean C.10/31/01 08:24
Help with PHPPhil10/29/01 12:44
This script rocks....Paul D10/29/01 04:09
Improve on a good idea...Benjamin Smith10/26/01 13:06
RE: Header Already Sent - setcookiePreston Stone10/13/01 01:20
RE: MySQLSteven C10/11/01 19:30
Header Already Sent - setcookiekoejkje10/09/01 20:22
RE: MySQLDaniel10/09/01 19:10
RE: Would this work and be secure?Daniel10/08/01 20:26
RE: "log in permanently" optionPreston Stone10/08/01 13:07
MySQLSteven C10/04/01 07:58
RE: Protection Pages!!Preston Stone10/03/01 23:50
RE: Tight security that does not rely on IPsBaruch Even09/28/01 19:19
RE: Dynamic Extension for mor Userdata to inputLuc09/26/01 09:31
RE: How do you actually implement this? - NewAli Driver09/26/01 04:42
Dynamic Extension for mor Userdata to inputFrank Zehelein09/23/01 16:45
"log in permanently" optionPreston Stone09/21/01 09:08
RE: Unix username and passwordstorm09/13/01 07:10
Variable ErrorsJacques Grové09/11/01 06:28
How do you actually implement this? - NewbieJacques Grové09/11/01 05:28
forgot PasswordKang Cypen09/11/01 03:44
RE: fast method.. but very unsecureOOzy09/10/01 23:28
Protection Pages!!Giuseppe09/06/01 11:02
error auth.incRonald Joson08/22/01 15:46
Would this work and be secure?rulian08/17/01 20:50
excellentted08/11/01 10:19
utils.php in authentication app missingHarry Hobson08/06/01 11:13
Can't get if is/not logged in to work.Shadowhunter08/04/01 21:26
RE: Unix username and passwordJesse Charbneau08/04/01 17:06
Web Authentication articleBaruch Even07/17/01 01:29
Tight security that does not rely on IPsMatt07/14/01 18:31
RE: Added securityMatt07/14/01 17:23
RE: Protect your pages this way.....Urs Gehrig07/11/01 04:03
Staying Logged In...marquese07/09/01 14:39
RE: Unix username and passwordJacob06/27/01 23:00
E-mailing out of PHPTroy Delagardelle06/27/01 18:47
RE: Added securityRael Daruszka06/24/01 21:15
RE: Protect your pages this way.....Luc06/24/01 11:21
RE: session variablesMark06/18/01 08:13
RE: Unix username and passwordMark06/18/01 07:51
login/logoffKalium06/18/01 05:57
Tim's code in a nutshellSocheat06/16/01 11:51
RE: Protect your pages this way.....Baruch Even06/10/01 10:01
readme.txtGonzalo Jeldrez05/31/01 13:16
Creating a readme.txtGonzalo Jeldrez05/28/01 13:41
session variablesAndy05/28/01 11:53
readme.txtGonzalo Jeldrez05/23/01 14:33
Unix username and passwordSommai Fongnamthip05/20/01 22:47
FrameForwarding, ImplementationTobias05/02/01 15:23
RE: Added securityMaarten Robben04/25/01 06:38
Adding FieldsBen Blackmore04/24/01 08:59
Weird ErrorBen Blackmore04/24/01 08:48
RE: security beneath PHPMark Bruk04/21/01 21:14
RE: Added securityMark Bruk04/21/01 21:07
Usernamesam04/18/01 03:33
RE: Secure?Jim04/17/01 18:10
Added securityMaarten Robben04/17/01 10:24
phortify problem Please help asaptim sharpe04/14/01 16:18
Login for displayed over and over.Scott Peshak04/04/01 20:40
security beneath PHPMark03/30/01 02:13
RE: (In)Security: I am interestedMax03/21/01 14:35
RE: Logging offReepa03/07/01 21:17
How do i.....?Marcellino Bommezijn03/07/01 15:44
Logging offGerry03/07/01 10:15
Scale image...Eskil Keskikangas03/06/01 11:43
RE: What now???Michael Jensen03/05/01 14:37
open sourceMilton Moraga03/01/01 08:46
Error with undefined variables... please helpAndy02/28/01 22:21
What now???Brian Grayless02/28/01 12:44
how to use?jaxon02/24/01 13:08
RE: mail deliverySimon Pritchard02/21/01 19:19
RE: (In)SecurityAndreas Heintze02/19/01 14:23
RE: database.php for PostgreSQLDustin Dortch02/19/01 13:45
database.php for PostgreSQLDustin Dortch02/16/01 07:01
RE: multiple users with same emailDustin Dortch02/03/01 11:23
Variables can be passed by argumentJulien01/24/01 04:14
Me again - Password, and then some.Shawn 01/19/01 03:15
RE: You are logged in as* \ You are not logged inJason01/18/01 21:43
RE: You are logged in as* \ You are not logged inShawn 01/18/01 14:02
RE: You are logged in as* \ You are not logged inSteve01/18/01 12:53
You are logged in as* \ You are not logged inShawn (MobileBadBoy)01/17/01 23:21
multiple users with same emailSteve01/16/01 07:40
Setup and RequirementsEric Crist01/14/01 23:45
Is there an oracle version?Jimmy01/10/01 19:15
Making it more secure ?cyril01/10/01 02:55
RE: utils.php?Henning01/07/01 18:43
Why "text" as column type?Henning01/07/01 17:12
RE: utils.php?Henning01/05/01 22:45
RE: another version of this system - easy setupHenning01/05/01 22:44
RE: (In)Security: I am interestedBaruch Even01/02/01 08:30
RE: (In)Security: I am interestedPeter Armstrong01/01/01 13:24
RE: (In)SecurityAdam Woodbeck01/01/01 12:54
(In)SecurityBaruch Even12/29/00 09:29
RE: Secure??Baruch Even12/29/00 09:17
mail deliveryTom12/28/00 11:01
RE: make pages look for cookieJoost Wilbrink12/09/00 11:50
RE: Secure??Leo West12/06/00 08:57
RE: Another Error please helpMandy11/24/00 02:20
RE: fast method.. but very unsecureJohn10/27/00 19:26
cookie answergmt10/26/00 23:59
cookiesgmt10/26/00 20:59
cookiesgmt10/26/00 20:58
cookiesgmt10/26/00 20:24
user logoutgmt10/26/00 19:38
RE: Check for Login - Answered Myselfbeginner10/23/00 04:43
How To Grab User Information From Database ?Yves Modert10/12/00 13:14
how to restrict users from a particular dirgmt10/11/00 21:51
RE: Protect your pages this way.....nicola10/09/00 04:06
RE: fast method.. but very unsecureMichael Park10/01/00 12:42
RE: fast method.. but very unsecureAmit Chakradeo09/28/00 21:05
unable to loginJason Archibald09/23/00 18:13
E-mail of the userYves Modert09/16/00 08:12
fast method.. but very unsecureMichael Park09/07/00 10:29
thank you!thomas cos09/01/00 14:21
Protect your pages this way.....Jeff Radcliffe08/31/00 12:05
Add adress, zip code, country and date of birYves Modert08/31/00 03:01
RE: Secure??Bernd Eßmann08/29/00 06:56
RE: return_to function - AnswerDave Van Camp08/24/00 03:04
RE: return_to function - More answer.Patrick08/24/00 02:46
RE: return_to function - AnswerPatrick08/24/00 02:42
return_to functionDave Van Camp08/24/00 02:20
RE: Correction- Answered MyselfPatrick08/23/00 01:42
Check for Login - Answered MyselfPatrick08/23/00 01:40
Check for LoginPatrick08/18/00 21:41
Check for LoginPatrick08/18/00 21:31
phortify to be bornphilip olson08/17/00 15:00
RE: Another Error please helpAmit Chakradeo08/14/00 23:36
RE: Another Error please helpdavid08/14/00 15:49
RE: Another Error please helpAmit Chakradeo08/13/00 23:05
Does anyone monitor this board?Rhyan08/13/00 15:53
Another Error please helpRhyan08/12/00 18:26
Help Please, ErrorRhyan08/12/00 18:18
bug in script?Toni Suokas08/12/00 15:42
User TrackingRhyan08/10/00 19:40
User TrackingRhyan08/10/00 19:28
Secure??Fabio Venuti08/08/00 17:30
Found pre.php in "Pretty Source File"David Cann08/08/00 16:16
missing info in pre.php?David Cann08/06/00 23:37
sessionjeroen08/05/00 05:19
RE: utils.php? found it.Tim Perdue, PHPBuilder.com07/29/00 23:35
RE: utils.php? found it.Max Hammond07/27/00 09:32
RE: utils.php? found it.philip olson07/26/00 21:10
RE: make pages look for cookieAaron Nikula07/21/00 13:28
RE: philip olson (utils.php?) doh!philip olson07/15/00 14:12
philip olsonphilip olson07/15/00 14:06
utils.php?Alex Darke07/14/00 22:01
Secure?tom07/14/00 06:24
php for linuxPerry07/12/00 10:29
make pages look for cookiechad nantais07/10/00 02:49
another version of this system - easy setupphilip olson07/03/00 19:54
genereal comment about site!Daan07/03/00 16:50
Logging the username in Apache Log AUTH fieldJohn S Huggins07/03/00 16:00
 

If you are looking for help, please post on the appropriate forum here. Your questions will be answered much more quickly.

Add A Comment:

Name:

Email:

Subject:

Message:

To reduce spam posts, messages are now manually approved

You are not [logged in]. That means your account will not get credit for this post.