On 4/20/08, Joó Ádám <[EMAIL PROTECTED]> wrote: > 'An additional "static salt" does not help unless the attacker has the > > password database but not the "static salt" which is also not very > > likely.' > > I don't really know why do you think that this is unlikely to happen. > Think about an SQL injection attack, which reveals the users table, > but leaves the PHP code / INI config / etc. untouched.
True. But the static salt still isn't worth it IMO. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/
