Thread: php security
View Single Post
06-03-2005, 10:31 PM
 #8
Koobi is offline Koobi
Koobi's Avatar
Status: Member
Join date: Apr 2005
Location:
Expertise:
Software:
 
Posts: 312
iTrader: 0 / 0%
 

Koobi is on a distinguished road

  Old

Good tips there, especially about the password length

md5 has been cracked now with some tools apparently, so has sha1. In any case, sha1 is a better choice than md5.
Since md5 and sha1 are one way hashes, this is probably done with brute force.
I guess it's time for some other form of encryption..like blowfish or somehting like that..but if you're lazy like me :P, you can just use a combination of sha1() and md5() with a secret salt just to make it harder to crack, but not impossible.
Another thing you could do is use SQL's SET PASSWORD syntax.

And the deal with SQL injection is more about quotes and the equal sign.
Here's some links I found on google:
http://www.unixwiz.net/techtips/sql-injection.html
http://www.securiteam.com/securityre...DP0N1P76E.html





:edit:
Another thing, on MANY sites, I often see users including pages for navigation. Just make sure you use file_exists() to double check if the file exists before actually including it...otherwise, a user with malicious intent can include a remote file (remote files can only be included depending on your php.ini settings) that echo's your system password, then you're fried heh heh