Re: [PHP] Password protected directory
On Tue, Nov 2, 2010 at 1:05 PM, Ben Miller biprel...@gmail.com wrote: I need to access and read the files in a password protected directory with a PHP script using the readdir function. I'm already making users login to a secure area, so I don't want to make them enter a password again to access the files - is there a way to include the password with the readdir/opendir function with PHP? Thanks in advance. Ben assign a session key to the user and just check if that session key is set before using the standard account to access the file. Then the password can be held in the config file and the user never sees it -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password protected directory
On Tue, Nov 2, 2010 at 13:05, Ben Miller biprel...@gmail.com wrote: I need to access and read the files in a password protected directory with a PHP script using the readdir function. I'm already making users login to a secure area, so I don't want to make them enter a password again to access the files - is there a way to include the password with the readdir/opendir function with PHP? What operating system? How is the directory password-protected (HTTP auth, Win/SAMBA share ACLs, PHP/script control, etc.)? Is everything hosted on the same machine or virtual environment? As you can tell, it's a bit difficult to give you an answer when the question is so vague that it may as well be nonexistent. ;-P -- /Daniel P. Brown Dedicated Servers, Cloud and Cloud Hybrid Solutions, VPS, Hosting (866-) 725-4321 http://www.parasane.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password field validation
On Thu, Mar 12, 2009 at 3:05 PM, Jason Todd Slack-Moehrle mailingli...@mailnewsrss.com wrote: Hi All, I have an input field with type=password. I am trying to do some error checking to see if the user puts a value in after they submit the form (i.e not left it blank) Here is what I have: on form: Password: input id=PASSWORD name=PASSWORD type=password size=15 In PHP error checking: if (empty($_POST[PASSSWORD])) { $GERROR=TRUE;} even though I am putting characters in the field before I submit I am always getting TRUE returned. This same tactic works for other fields I have that I need to make sure they put values in, just I have never done this before with a password field. What am I doing wrong? I just want to make sure they put something there! -Jason If that's a direct copy/paste from your actual code, there is an extra S in PASSWORD. Also, you should enclose the array key in quotes: if (empty($_POST['PASSWORD'])) { $GERROR='TRUE'; } Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password field validation
On Thu, Mar 12, 2009 at 15:05, Jason Todd Slack-Moehrle mailingli...@mailnewsrss.com wrote: if (empty($_POST[PASSSWORD])) { $GERROR=TRUE;} [snip!] What am I doing wrong? Spelling. Password only has two S's. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password field validation
Andrew Ballard wrote: On Thu, Mar 12, 2009 at 3:05 PM, Jason Todd Slack-Moehrle mailingli...@mailnewsrss.com wrote: Hi All, I have an input field with type=password. I am trying to do some error checking to see if the user puts a value in after they submit the form (i.e not left it blank) Here is what I have: on form: Password: input id=PASSWORD name=PASSWORD type=password size=15 In PHP error checking: if (empty($_POST[PASSSWORD])) { $GERROR=TRUE;} even though I am putting characters in the field before I submit I am always getting TRUE returned. This same tactic works for other fields I have that I need to make sure they put values in, just I have never done this before with a password field. What am I doing wrong? I just want to make sure they put something there! -Jason If that's a direct copy/paste from your actual code, there is an extra S in PASSWORD. Also, you should enclose the array key in quotes: if (empty($_POST['PASSWORD'])) { $GERROR='TRUE'; } Andrew try if trim() gives you any different result: if (empty(trim($_POST['PASSWORD']))) { $GERROR='TRUE'; } afan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password field validation
if (empty($_POST[PASSSWORD])) { $GERROR=TRUE;} If that's a direct copy/paste from your actual code, there is an extra S in PASSWORD. Also, you should enclose the array key in quotes: if (empty($_POST['PASSWORD'])) { $GERROR='TRUE'; } It is official I am a DOPE! Thank you, yes, I did not see the SSS in an hour of looking! Why enclose in quotes? I have never done this! -Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password field validation
Afan Pasalic schreef: Andrew Ballard wrote: On Thu, Mar 12, 2009 at 3:05 PM, Jason Todd Slack-Moehrle mailingli...@mailnewsrss.com wrote: Hi All, I have an input field with type=password. I am trying to do some error checking to see if the user puts a value in after they submit the form (i.e not left it blank) Here is what I have: on form: Password: input id=PASSWORD name=PASSWORD type=password size=15 In PHP error checking: if (empty($_POST[PASSSWORD])) { $GERROR=TRUE;} even though I am putting characters in the field before I submit I am always getting TRUE returned. This same tactic works for other fields I have that I need to make sure they put values in, just I have never done this before with a password field. What am I doing wrong? I just want to make sure they put something there! -Jason If that's a direct copy/paste from your actual code, there is an extra S in PASSWORD. Also, you should enclose the array key in quotes: if (empty($_POST['PASSWORD'])) { $GERROR='TRUE'; } Andrew try if trim() gives you any different result: if (empty(trim($_POST['PASSWORD']))) { $GERROR='TRUE'; } definitely gives a different result. $ php -r ' $r = ; var_dump(empty(trim($r)));' PHP Fatal error: Can't use function return value in write context in Command line code on line 2 you can only pass variables to empty() *not* expressions. afan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password field validation
On Thu, Mar 12, 2009 at 2:39 PM, Jason Todd Slack-Moehrle mailingli...@mailnewsrss.com wrote: if (empty($_POST[PASSSWORD])) { $GERROR=TRUE;} If that's a direct copy/paste from your actual code, there is an extra S in PASSWORD. Also, you should enclose the array key in quotes: if (empty($_POST['PASSWORD'])) { $GERROR='TRUE'; } It is official I am a DOPE! Thank you, yes, I did not see the SSS in an hour of looking! Why enclose in quotes? I have never done this! Because if it's not in quotes, you run the risk of colliding with one of PHP's reserved words/constants/etc. -- // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password field validation
Jochem Maas wrote: Afan Pasalic schreef: Andrew Ballard wrote: On Thu, Mar 12, 2009 at 3:05 PM, Jason Todd Slack-Moehrle mailingli...@mailnewsrss.com wrote: Hi All, I have an input field with type=password. I am trying to do some error checking to see if the user puts a value in after they submit the form (i.e not left it blank) Here is what I have: on form: Password: input id=PASSWORD name=PASSWORD type=password size=15 In PHP error checking: if (empty($_POST[PASSSWORD])) { $GERROR=TRUE;} even though I am putting characters in the field before I submit I am always getting TRUE returned. This same tactic works for other fields I have that I need to make sure they put values in, just I have never done this before with a password field. What am I doing wrong? I just want to make sure they put something there! -Jason If that's a direct copy/paste from your actual code, there is an extra S in PASSWORD. Also, you should enclose the array key in quotes: if (empty($_POST['PASSWORD'])) { $GERROR='TRUE'; } Andrew try if trim() gives you any different result: if (empty(trim($_POST['PASSWORD']))) { $GERROR='TRUE'; } definitely gives a different result. $ php -r ' $r = ; var_dump(empty(trim($r)));' PHP Fatal error: Can't use function return value in write context in Command line code on line 2 you can only pass variables to empty() *not* expressions. :-) yup... didn't think that way... though, I was giving an idea $password = trim($_POST['PASSWORD']); if (empty($password) { $GERROR='TRUE'; } ;-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password field validation
On Thu, Mar 12, 2009 at 3:39 PM, Jason Todd Slack-Moehrle mailingli...@mailnewsrss.com wrote: if (empty($_POST[PASSSWORD])) { $GERROR=TRUE;} If that's a direct copy/paste from your actual code, there is an extra S in PASSWORD. Also, you should enclose the array key in quotes: if (empty($_POST['PASSWORD'])) { $GERROR='TRUE'; } It is official I am a DOPE! Thank you, yes, I did not see the SSS in an hour of looking! Why enclose in quotes? I have never done this! -Jason If you don't enclose them in quotes, PHP first looks for a constant with that name. Thus, it the constant PASSWORD was defined as 'some silly string', your code would evaluate to $_POST['some silly string'] instead of the string 'PASSWORD' that you probably intended it to use. That, and it generates an E_NOTICE. On a production server, these are usually hidden from public view, but it is still good practice to avoid them. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password field validation
haliphax wrote: On Thu, Mar 12, 2009 at 2:39 PM, Jason Todd Slack-Moehrle mailingli...@mailnewsrss.com wrote: if (empty($_POST[PASSSWORD])) { $GERROR=TRUE;} If that's a direct copy/paste from your actual code, there is an extra S in PASSWORD. Also, you should enclose the array key in quotes: if (empty($_POST['PASSWORD'])) { $GERROR='TRUE'; } It is official I am a DOPE! Thank you, yes, I did not see the SSS in an hour of looking! Why enclose in quotes? I have never done this! Because if it's not in quotes, you run the risk of colliding with one of PHP's reserved words/constants/etc. I would use $GERROR = false; if (empty($_POST['PASSWORD'])) { $GERROR = true;} -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password field validation
prueba con trim() : $pass=trim($_POST[PASSSWORD]); if (empty($pass)) { $GERROR=TRUE; } Atte. Rodrigo (09) 7 7996571 On Thu, Mar 12, 2009 at 4:05 PM, Jason Todd Slack-Moehrle mailingli...@mailnewsrss.com wrote: Hi All, I have an input field with type=password. I am trying to do some error checking to see if the user puts a value in after they submit the form (i.e not left it blank) Here is what I have: on form: Password: input id=PASSWORD name=PASSWORD type=password size=15 In PHP error checking: if (empty($_POST[PASSSWORD])) { $GERROR=TRUE;} even though I am putting characters in the field before I submit I am always getting TRUE returned. This same tactic works for other fields I have that I need to make sure they put values in, just I have never done this before with a password field. What am I doing wrong? I just want to make sure they put something there! -Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password field validation
On Thu, Mar 12, 2009 at 16:04, Rodrigo Escares rodrigo.esca...@gmail.com wrote: prueba con trim() : $pass=trim($_POST[PASSSWORD]); if (empty($pass)) { $GERROR=TRUE; } Incorrecto, Rodrigo. Tambien, utilice por favor solamente el ingles en esta lista --- usted puede encontrar la lista de usuario espanola en: http://php.net/mailinglists iGracias! -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ 50% Off All Shared Hosting Plans at PilotPig: Use Coupon DOW1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password Protecting a page and email notification
On Jun 17, 2008, at 5:33 PM, R.C. wrote: I'm going to ask you PHP gurus if someone can give me a hand in trying to get this resolved. I'm fairly new to PHP and learning as I go. I've got two page login.php and video.php. Video.php is supposed to be protected i.e. if someone clicks on the direct link or brings up the page in a browser, it comes back with an error message and a request to link to login.php... they type in their username/pasword and it opens up the video.php so they can download videos. I actually managed to accomplish that with the following code which sits at the top of video.php. I also created a form on login.php for user input. So far so good. However, we also need an email to be sent to the site owner when someone logs in plus their name. For the hell of me, I can't figure out how to combine the two elements. I tried a lot of things sofar, but nothing works. It's either the page gets protected OR the email gets sent, depending on what I leave in the script. I tried using part of Jenny's script which is great for email forms but I can't combine this whole thing. Hlp!! /*this is the code that sits at the top of the protected page* which works actually fine for the protection*/ ?php session_start(); $_SESSION ['username'] = $_POST ['user']; $_SESSION ['userpass'] = $_POST ['pass']; $_Session ['authuser'] = 0; if (($_SESSION['username'] == 'logon') and ($_SESSION['userpass'] == 'password')) { $_SESSION['authuser'] = 1; } else { echo I'm sorry, access is denied br /; echo Please log in at a href='login.php' HERE/a to enter your Username and Password; exit(); } Can this be done on one form i.e. login.php? I have 4 textfields set up: username, password, email, name (for the person sending the email...).. some if clause somewhere? Best R.C. I think you're heading the right direction. I'd do something like this... ?php // login.php session_start(); if (isset ($_POST['confirm'])) { if ($_POST['user'] != 'logon' || $_POST['pass'] != 'password') { header (location: login.php?code=i); exit; } $_SESSION['username'] = $_POST['user']; $_SESSION['userpass'] = $_POST['pass']; $_SESSION['authuser'] = true; header (location: video.php); exit; } else { unset ($_SESSION['authuser']); } ? html ?php if ($_GET['code'] == 'i') { ? pInvalid login. Please try again./p ?php } ? form action=login.php method=post !-- Other fields here -- input type=hidden name=confirm value=1 / /form /html That's how you can start it. At the top of the login.php page, check to see if the form has been submitted/post'ed. If it has, check for the correct username and password. If fail, send back to the login page with an error code - don't make the user click to go back to the login. If success, THEN assign the session variables and redirect to the video page. Just a side note. Maybe this is just an example that you sent us, but I would strongly recommend NOT using 'password' as the password. =D If each user is going to have his/her own username/password, then I'd use a database to store that info - that can be another thread or a search of the archives. ;) Hope that helps. ~Philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password hashing and crypt()
On Sat, January 19, 2008 2:11 pm, Nathan Nobbe wrote: http://www.php.net/manual/en/function.crypt.php has a second parameter, $salt, which, if not supplied will be automatically generated and presumably become a prefix or suffix of the returned string. Or, in some algorithms, gets buried in the middle at a known offset. Go figure. now, the article on the phpsec website http://phpsec.org/articles/2005/password-hashing.html recommends to externally create a salt and to store that in a separate field in the database, which would then be used for subsequent password verification. You would not need to store it separately, as it is built-in to the crytped value anyway. theoretically, however, if the password is generated without a user supplied salt, there is a salt already embedded in the password anyway. True. so, i have the following questions 1. is the phpsec technique bloated or unnecessary A bit of bloat, but you have to have a million records or it to even start to matter, really... Disk space is cheap, and not going to be your bottleneck. 2. is it better to create a user supplied salt, and why or why not Do *NOT* let PHP pick the salt for you. Here is why. Suppose server/host A has Blowfish, Twofish, Redfish, etc, all installed. PHP will pick the best one, and choose the salt that makes sense for that algorithm. Now suppose server/host B does NOT have that algorithm installed, and you have moved to server/host B. Suddenly, PHP is picking a different algorithm, and your database has two different kinds of passwords in it, and all kinds of problems ensue. If YOU pick the appropriate salt length/format, PHP will know which algorithm you are using, and will error out if that algorithm is not installed, which means you can do something intelligent (like install the dang thing) rather than fill up your DB with incompatible password algorithms. This has happened to me, and it was a royal PITA. :-) 3. is crypt() 'intended' to be used w/o a user provided salt, since it is a stable algorithm I think the intent of making it optional was Good, but in Practice, it's just a Bad Idea (tm). -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password hashing and crypt()
On Sat, January 19, 2008 8:24 pm, Eric Butera wrote: I always make sure that I use a site specific salt which is just appended on the user supplied value. I started doing that when I read that people had created huge databases of hashed values that they can just search on. At least this way no matter what the password isn't a dictionary word. As for if that really adds value in the end I can't say as I'm not really a security expert. Eg. hash('sha256', $input.$salt); The Bad Guys create humongous databases of every dictionary word with every possible salt... So what salt you use does not matter... So I don't think you are really adding any extra security here... -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password hashing and crypt()
Richard Lynch wrote: On Sat, January 19, 2008 8:24 pm, Eric Butera wrote: I always make sure that I use a site specific salt which is just appended on the user supplied value. I started doing that when I read that people had created huge databases of hashed values that they can just search on. At least this way no matter what the password isn't a dictionary word. As for if that really adds value in the end I can't say as I'm not really a security expert. Eg. hash('sha256', $input.$salt); The Bad Guys create humongous databases of every dictionary word with every possible salt... So what salt you use does not matter... Sure it does. I could use my server name or the application's url, the current time, whatever I like and put all of that in the salt. There's no way they'll have that in their dictionary. As long as I store the salt I know how to compare it again later. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password hashing and crypt()
On Tue, January 22, 2008 7:43 pm, Chris wrote: Richard Lynch wrote: On Sat, January 19, 2008 8:24 pm, Eric Butera wrote: I always make sure that I use a site specific salt which is just appended on the user supplied value. I started doing that when I read that people had created huge databases of hashed values that they can just search on. At least this way no matter what the password isn't a dictionary word. As for if that really adds value in the end I can't say as I'm not really a security expert. Eg. hash('sha256', $input.$salt); The Bad Guys create humongous databases of every dictionary word with every possible salt... So what salt you use does not matter... Sure it does. I could use my server name or the application's url, the current time, whatever I like and put all of that in the salt. There's no way they'll have that in their dictionary. As long as I store the salt I know how to compare it again later. For the algorithms used by crypt(), the salt is IN the crypted value. If the Bad Guy has the crypted value, they already have the salt. They can maybe make a dictionary that is MUCH larger with every possible salt, and do a simple comparison. Or they can quickly write up a crypt()-based script that extracts the salt and tries the Top 10,000 passwords for each. Most Un*x systems come with /usr/share/dict/web2, Webster's second edition dictionary. It has only 235,882 words in it. How many possible salts are there? DES only lets you have 2 chars, a-z, right? 235,882 X 26 X 26 is not exactly a HUGE database of possible values to have on hand. The 1$ and 2$ salts are longer, but I suspect still not THAT much longer. The salt only increases the difficulty by a factor of X, but doesn't make it geometrically harder to crack -- So a Bad Guy only has to have X times as much resources, for a relatively small X. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password hashing and crypt()
Richard Lynch wrote: On Tue, January 22, 2008 7:43 pm, Chris wrote: Richard Lynch wrote: On Sat, January 19, 2008 8:24 pm, Eric Butera wrote: I always make sure that I use a site specific salt which is just appended on the user supplied value. I started doing that when I read that people had created huge databases of hashed values that they can just search on. At least this way no matter what the password isn't a dictionary word. As for if that really adds value in the end I can't say as I'm not really a security expert. Eg. hash('sha256', $input.$salt); The Bad Guys create humongous databases of every dictionary word with every possible salt... So what salt you use does not matter... Sure it does. I could use my server name or the application's url, the current time, whatever I like and put all of that in the salt. There's no way they'll have that in their dictionary. As long as I store the salt I know how to compare it again later. For the algorithms used by crypt(), the salt is IN the crypted value. Yeh - I pointed that out here: http://marc.info/?l=php-generalm=120095678525654w=2 But Eric's example was using sha256, not crypt. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password hashing and crypt()
alright, so you guys have responded and im really appreciative. you have me thinking now.. so what are the real issues here? 1. portability 2. security (obviously) im wondering now if crypt() is really even so practical. especially considering the deal where only 2 characters are prepended as the salt. in the article i referenced, what theyve done is written a function that creates a password with a salt whereby the entire salt will be used in the resultant hash (actually a definable portion thereof): define('SALT_LENGTH', 9); function generateHash($plainText, $salt = null) { if ($salt === null) { $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH); } else { $salt = substr($salt, 0, SALT_LENGTH); } return $salt . sha1($salt . $plainText); } i must admit that i didnt realize they were not using crypt() in this function. i must have glazed over it :( after all this discussion, im now mostly looking for a reason to use crypt() rather than to implement a function such as the one above. it has the advantage of a known, consistent algorithm, that will be used to generate the hash, rather than one that could potentially change on a per system or future release basis; and the salt isnt limited to 2 characters. -nathan
Re: [PHP] password hashing and crypt()
On Wed, 2008-01-23 at 00:40 -0500, Nathan Nobbe wrote: alright, so you guys have responded and im really appreciative. you have me thinking now.. so what are the real issues here? 1. portability 2. security (obviously) im wondering now if crypt() is really even so practical. especially considering the deal where only 2 characters are prepended as the salt. in the article i referenced, what theyve done is written a function that creates a password with a salt whereby the entire salt will be used in the resultant hash (actually a definable portion thereof): define('SALT_LENGTH', 9); function generateHash($plainText, $salt = null) { if ($salt === null) { $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH); } else { $salt = substr($salt, 0, SALT_LENGTH); } return $salt . sha1($salt . $plainText); } i must admit that i didnt realize they were not using crypt() in this function. i must have glazed over it :( after all this discussion, im now mostly looking for a reason to use crypt() rather than to implement a function such as the one above. it has the advantage of a known, consistent algorithm, that will be used to generate the hash, rather than one that could potentially change on a per system or future release basis; and the salt isnt limited to 2 characters. Other than supporting legacy apps that used crypt() I don't see any reason to use it now. Cheers, Rob. -- ... SwarmBuy.com - http://www.swarmbuy.com Leveraging the buying power of the masses! ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password hashing and crypt()
My apologies Robert, Gmail sucks. I'm bouncing this back to the list, where it belonged in the first place. Feel free to make corrections if I've mischaracterized what you wrote. Good luck with that, btw, but don't expect me to engage. Robert Cummings wrote: And THAT does remind me of my MUD server programming :) So it would seem, by supplying a user defined salt you can ensure compatibility with legacy systems that used the older (and largely deprecated) crypt() system. In fact, the description given by PHP worries me a little. In fact, it looks like you are saying that a 13-char hash is better than a 34-char hash, and with your zz $salt exposed to anyone who can tell hash from grits. No, I'm not at all saying that a 13-char hash is better than a 34 char hash. I'm saying that you get different types of encryption depending on how you use crypt, then I illustrated the point. Tying your example(s) to older (read: broken) encryption mechanisms. Then I tied that back to older code I've worked on that produces the encryption variety experienced when supplying a user defined salt... this is then used to make the case that legacy support can be obtained via the user defined salt. If we are dealing with how the Server handles the scripts, why is legacy a factor in the first place? Fit your scripts to the server, this is not some burger joint where you get it your way. And don't try to go international on me, the rest of the world had 128-bit encryption and was free to use it before the US populace could legally possess it for international transactions. Do you remember the Munitions Act? It says, Some operating systems support more than one type of encryption. So? Did you mean to say, control is needed on which type is used? I haven't looked into the crypt() function supplied by PHP beyond having read the initial manual for it and producing examples of output. That sounds like I don't know. So your earlier statement ultimately means I don't know??? Obviously, the defining the salt and not defining the salt have profound differences on the result produced (as illustrated). Per your examples, it's the difference between 13-char (hard) and 34-char(harder) differences. And with your 13-char example giving the $salt away in the first two columns (the scenario is a cracker who accessed your user/pass table and is trying to find matches), it doesn't take that cracker long to recognize equal values above and below the divisor. Solve for what is left. So this was a roundabout way of saying, verify the encryption mechanism? How does that make the random $salt less valid than the user-supplied $salt? No, You should have said yes and quit while you thought you were ahead. that was me saying that there is certainly a good reason to use a user defined salt-- legacy compatibility. The random salt is useless if you need to create a crypt()'d string that will match the crypt()'d string created by a C program 10 years ago-- Given that the scenario is a cracker who has your user/pass ID table, that was never a stated goal, purpose or anything. and so in this context, Okay, you win. I can't provide enough real world data to illustrate exactly how wrong you are, in your view because, in your view all this real world data does not get parsed properly. Myself and this is what you were talking around but wouldn't embrace, I think the $salt and encryption method both count for a lot. Given the same encryption method, why would a user-supplied $salt necessarily be better than a random $salt? Answer that only, if you can and expect a reply. --Doc it is true that the random salt is less valid than the custom supplied salt. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password hashing and crypt()
On Mon, 2008-01-21 at 14:37 -0500, Mike Potter wrote: You should have said yes and quit while you thought you were ahead. I'm not trying to get ahead... I didn't know I was competing. Are we competing? I thought I was just answering posts. that was me saying that there is certainly a good reason to use a user defined salt-- legacy compatibility. The random salt is useless if you need to create a crypt()'d string that will match the crypt()'d string created by a C program 10 years ago-- Given that the scenario is a cracker who has your user/pass ID table, that was never a stated goal, purpose or anything. and so in this context, Okay, you win. I can't provide enough real world data to illustrate exactly how wrong you are, in your view because, in your view all this real world data does not get parsed properly. ??? Myself and this is what you were talking around but wouldn't embrace, I think the $salt and encryption method both count for a lot. Given the same encryption method, why would a user-supplied $salt necessarily be better than a random $salt? Answer that only, if you can and expect a reply. I never said it would. I didn't even come close to saying a user defined salt would be better than a random salt given that the encryption method is the same. From what hat did you pull that? I merely indicated reasons why the user defined salt was necessary. Cheers, Rob. -- ... SwarmBuy.com - http://www.swarmbuy.com Leveraging the buying power of the masses! ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password hashing and crypt()
Nathan Nobbe wrote: hi all, recently ive been debating a bit about the use of the crypt() function and the best practice thereof, im hoping you can help to clarify this for me. so, the crypt function http://www.php.net/manual/en/function.crypt.php has a second parameter, $salt, which, if not supplied will be automatically generated and presumably become a prefix or suffix of the returned string. now, the article on the phpsec website http://phpsec.org/articles/2005/password-hashing.html recommends to externally create a salt and to store that in a separate field in the database, which would then be used for subsequent password verification. theoretically, however, if the password is generated without a user supplied salt, there is a salt already embedded in the password anyway. so, i have the following questions 1. is the phpsec technique bloated or unnecessary 2. is it better to create a user supplied salt, and why or why not 3. is crypt() 'intended' to be used w/o a user provided salt, since it is a stable algorithm crypt has some issues which I haven't seen anyone else mention. The salt is actually contained in the crypted string as the first two characters, there's no need to store it separately. ?php $string = '12345678'; echo crypt($string, 'ab') . \n; ab1iBa.N.U2C6 echo crypt($string, 'cd') . \n; cdsmm9tFWz3CI The next problem (more importantly) is that crypt only looks at the first 8 characters when generating a hash. It doesn't matter how big you make the string, it's the same as chopping it off at 8 characters. echo crypt(str_repeat($string, 40), 'cd') . \n; cdsmm9tFWz3CI The man page explains this (I think): http://linux.die.net/man/3/crypt However if you use md5 or sha1 or something else, then yes store the salt separately because that is *not* part of the hash that gets returned. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password hashing and crypt()
On Sat, 2008-01-19 at 23:17 -0500, Nathan Nobbe wrote: thanks for the great responses guys. i guess what im really getting at though is, if crypt() will embed a salt in the value it returns automatically, is there any benefit to creating a salt to pass to the second argument and storing that as well? conceivably, passwords already have a salt using the default crypt() behavior, so the general benefit of salting should be supplied by said default behavior. my guess is that there would be *some* benefit to creating a user supplied salt. greater entropy or something, im not sure what... im just trying to rationalize creating a salt in userspace and storing that in the database as opposed to not. any takers for either case? Andrés Robinet wrote up a good response about why having a salt is a good idea-- it exacerbates the problem when attempting brute force attack on encrypted data since you can't use a premade dictionary lookup. And if you have a different salt for each password (or at least a large number of possibilities) then the attacker must generate a dictionary for each salt. Now to answer about using the salt when PHP will happily provide you with a random salt... There absolutely is a good reason to use a user supplied salt. The following gives away the purpose: The encryption type is triggered by the salt argument. At install time, PHP determines the capabilities of the crypt function and will accept salts for other encryption types. So for instance, try producing crypt()'d strings using the numbers from 1 to 10. On my system I get the following: $1$gcEomRxT$YibOA/5WcjlCC4hseZ6bk/ $1$dDsWYLJK$RPXPnBRCAVDebiHiPkKJK/ $1$XzT/Az1t$QlONw/QqZMjNANMcnZcp/. $1$CSgiFjsQ$3isYQqh9lFj/ZvX0ocsnx0 $1$8HHAUR5/$YzxMhT7rMfM13M/yRf2ET. $1$G/WgK8zD$k3VZ2PAOIi1kcWVsyvnF10 $1$4fh1himm$wRqRYotHmw2Ps/SIkqhBq/ $1$.sTqbfpQ$RXhPwgyNGtS93OQ6jrzYl0 $1$tUCw0Rze$vtJ4i2Ed1k4oyrvod9X0R. $1$W14JfJsx$WbyTs2Nqh9eXIpNgKBsCT0 I don't know what crypt() system produces that, but it's not the default version of crypt() that I remember from my MUD server programming. In fact if I supply a user salt (let's say zz) I get the following: zzsF/.LubwLnI zzF7BImpLw88c zzwyg0kWM1qv. zzg9FBoQ.0O/o zzjyi10UWoOtY zzs2WwvhylXdQ zzk7FKWJk8XiU zzyIn0BmVxHbU zzteAzJnPG9JE zz8WHA83j.CZI And THAT does remind me of my MUD server programming :) So it would seem, by supplying a user defined salt you can ensure compatibility with legacy systems that used the older (and largely deprecated) crypt() system. In fact, the description given by PHP worries me a little. It says, Some operating systems support more than one type of encryption. In fact, sometimes the standard DES-based encryption is replaced by an MD5-based encryption algorithm. This suggests that you can't rely on crypt() producing the same output on two different systems if you don't supply a salt :| So in closing, I'd just go ahead and use SHA1 or something else that is clearly defined :) Cheers, Rob. -- ... SwarmBuy.com - http://www.swarmbuy.com Leveraging the buying power of the masses! ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password hashing and crypt()
Nathan Nobbe schreef: hi all, recently ive been debating a bit about the use of the crypt() function and the best practice thereof, im hoping you can help to clarify this for me. so, the crypt function http://www.php.net/manual/en/function.crypt.php has a second parameter, $salt, which, if not supplied will be automatically generated and presumably become a prefix or suffix of the returned string. now, the article on the phpsec website http://phpsec.org/articles/2005/password-hashing.html recommends to externally create a salt and to store that in a separate field in the database, which would then be used for subsequent password verification. theoretically, however, if the password is generated without a user supplied salt, there is a salt already embedded in the password anyway. so, i have the following questions 1. is the phpsec technique bloated or unnecessary I can't see a dictionary attack being thwarted by the salt given that the salt is made available when a password is checked. I'm struggling to see how a salt will help if it's made available. but it's late, may be better brain can enlighten us :-) then again your question is a little skewed due to the fact that sha1() is used in the phpsec article and your talking about crypt - which encryption is better as it stands is the first question to ask no? AFAIK sha1() is recommended over DES but maybe I'm misinformed. 2. is it better to create a user supplied salt, and why or why not 3. is crypt() 'intended' to be used w/o a user provided salt, since it is a stable algorithm depends on the use - i.e. using it inconjunction with a .htpasswd file will required no salt (auto-generated salt), other usage recommends using an explicit salt. all this salt is hurting my eyes - I have a blind spot. any other direction or hints you can supply are much appreciated. thanks, -nathan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password hashing and crypt()
On Jan 19, 2008 8:02 PM, Jochem Maas [EMAIL PROTECTED] wrote: Nathan Nobbe schreef: hi all, recently ive been debating a bit about the use of the crypt() function and the best practice thereof, im hoping you can help to clarify this for me. so, the crypt function http://www.php.net/manual/en/function.crypt.php has a second parameter, $salt, which, if not supplied will be automatically generated and presumably become a prefix or suffix of the returned string. now, the article on the phpsec website http://phpsec.org/articles/2005/password-hashing.html recommends to externally create a salt and to store that in a separate field in the database, which would then be used for subsequent password verification. theoretically, however, if the password is generated without a user supplied salt, there is a salt already embedded in the password anyway. so, i have the following questions 1. is the phpsec technique bloated or unnecessary I can't see a dictionary attack being thwarted by the salt given that the salt is made available when a password is checked. I'm struggling to see how a salt will help if it's made available. but it's late, may be better brain can enlighten us :-) then again your question is a little skewed due to the fact that sha1() is used in the phpsec article and your talking about crypt - which encryption is better as it stands is the first question to ask no? AFAIK sha1() is recommended over DES but maybe I'm misinformed. 2. is it better to create a user supplied salt, and why or why not 3. is crypt() 'intended' to be used w/o a user provided salt, since it is a stable algorithm depends on the use - i.e. using it inconjunction with a .htpasswd file will required no salt (auto-generated salt), other usage recommends using an explicit salt. all this salt is hurting my eyes - I have a blind spot. any other direction or hints you can supply are much appreciated. thanks, -nathan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php They say sha1 has been compromised. http://en.wikipedia.org/wiki/SHA_hash_functions I always make sure that I use a site specific salt which is just appended on the user supplied value. I started doing that when I read that people had created huge databases of hashed values that they can just search on. At least this way no matter what the password isn't a dictionary word. As for if that really adds value in the end I can't say as I'm not really a security expert. Eg. hash('sha256', $input.$salt); -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] password hashing and crypt()
-Original Message- From: Eric Butera [mailto:[EMAIL PROTECTED] Sent: Sunday, January 20, 2008 12:24 AM To: Jochem Maas Cc: Nathan Nobbe; PHP General List Subject: Re: [PHP] password hashing and crypt() On Jan 19, 2008 8:02 PM, Jochem Maas [EMAIL PROTECTED] wrote: Nathan Nobbe schreef: hi all, recently ive been debating a bit about the use of the crypt() function and the best practice thereof, im hoping you can help to clarify this for me. so, the crypt function http://www.php.net/manual/en/function.crypt.php has a second parameter, $salt, which, if not supplied will be automatically generated and presumably become a prefix or suffix of the returned string. now, the article on the phpsec website http://phpsec.org/articles/2005/password-hashing.html recommends to externally create a salt and to store that in a separate field in the database, which would then be used for subsequent password verification. theoretically, however, if the password is generated without a user supplied salt, there is a salt already embedded in the password anyway. so, i have the following questions 1. is the phpsec technique bloated or unnecessary I can't see a dictionary attack being thwarted by the salt given that the salt is made available when a password is checked. I'm struggling to see how a salt will help if it's made available. but it's late, may be better brain can enlighten us :-) then again your question is a little skewed due to the fact that sha1() is used in the phpsec article and your talking about crypt - which encryption is better as it stands is the first question to ask no? AFAIK sha1() is recommended over DES but maybe I'm misinformed. 2. is it better to create a user supplied salt, and why or why not 3. is crypt() 'intended' to be used w/o a user provided salt, since it is a stable algorithm depends on the use - i.e. using it inconjunction with a .htpasswd file will required no salt (auto-generated salt), other usage recommends using an explicit salt. all this salt is hurting my eyes - I have a blind spot. any other direction or hints you can supply are much appreciated. thanks, -nathan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php They say sha1 has been compromised. http://en.wikipedia.org/wiki/SHA_hash_functions I always make sure that I use a site specific salt which is just appended on the user supplied value. I started doing that when I read that people had created huge databases of hashed values that they can just search on. At least this way no matter what the password isn't a dictionary word. As for if that really adds value in the end I can't say as I'm not really a security expert. Eg. hash('sha256', $input.$salt); -- Let me share what I've read in a cryptography book some time ago. I hope to remember it well, but for me it served as an explanation about what the SALT is all about (for those of you who don't have a clue, like me). I will put aside any cryptographic considerations like the strength of the algorithms or steganography analysis. Let's build a scenario (yeah, I was kind of a teacher in the past, lol). For the sake of simplicity, let's assume the following: 1 - You have a database (actually, a table) of 10 rows with user encrypted passwords, and somebody (the cracker) had made it to sniff in and get access to it. Let's assume passwords are encrypted using MD5 and the cracker knows it. 2 - No other data has been compromised, or no other compromised data means anything to the cracker. He only wants to reverse engineer your passwords, meaning by that to get valid passwords that match the encrypted (hashed is the word) ones. Let's say that having those passwords, the cracker can login to your system and do some interesting stuff, which is the only ultimate goal of his. 3 - The cracker has a dictionary of 100 words to try, he hopes to find a match within that dataset. Whether he finds one or more passwords using the dictionary is not relevant to this scenario, but the metric here is how much computational effort he has to make to reverse engineer the encryption. Now, what would the cracker have to do to get one or more valid passwords? Probably something like: 1 - Apply the MD5 function to the words in the dictionary. He gets a hashed dictionary which probably he has already built long a go (for doing some other obscure task). 2 - Compare each of the values in the hashed dictionary to the passwords table to find matches. Step 2 can be optimized in several ways, but I'll not get deeper into it (I won't either give you O[X] values, as I don't have a clue, but some figures can be made). Also, there's the chance that two users chose the same password, and the hashes would be equal (in this case you would have only 9 passwords
Re: [PHP] password hashing and crypt()
thanks for the great responses guys. i guess what im really getting at though is, if crypt() will embed a salt in the value it returns automatically, is there any benefit to creating a salt to pass to the second argument and storing that as well? conceivably, passwords already have a salt using the default crypt() behavior, so the general benefit of salting should be supplied by said default behavior. my guess is that there would be *some* benefit to creating a user supplied salt. greater entropy or something, im not sure what... im just trying to rationalize creating a salt in userspace and storing that in the database as opposed to not. any takers for either case? -nathan
Re: [PHP] Password Protecting
visit http://www.softswot.com/Form1Password.php On 3/21/07, Kevin [EMAIL PROTECTED] wrote: Hello Everyone! I am new to PHP but I am hoping you guys can help me. I would like to have my users go to a page that looks like http://f4.zittle.com/admin, or even just a drop down window or something whre they can enter a username and password. Depending on the username, and of course assuming the password is correct, they will be forwarded to a certain page or directory. I think I need to use a DB but I am not sure anything more. Sorry it is such a simple question but hopefully all of you can help! Thanks in advanced!!! Kevin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Shafiq Rehman (ZCE) http://phpgurru.com | http://shafiq.pk
Re: [PHP] Password Protecting
On Wed, March 21, 2007 12:11 am, Kevin wrote: I am new to PHP but I am hoping you guys can help me. I would like to have my users go to a page that looks like http://f4.zittle.com/admin, or even just a drop down window or something whre they can enter a username and password. Depending on the username, and of course assuming the password is correct, they will be forwarded to a certain page or directory. I think I need to use a DB but I am not sure anything more. Sorry it is such a simple question but hopefully all of you can help! Thanks in advanced!!! Google PHP Password access -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password Protect Directory
Jason Karns wrote: I'm trying to find a way to password protect a directory. I currently have an authentication and authorization system in place for pages in my directory. I'd prefer to use my existing system somehow (as it includes OpenID authentication) as opposed to using htaccess and HTTP Auth. The only idea of found is to use mod_rewrite to have a PHP script serve up all the files in the particular directory and have the authentication handled in this script. This just seems a little 'hackish' to me. why? as an alternative you could setup apache to force php to handle *all* files in that directory using a Files directive inconjunction with a auto_prepend_file directive for that dir that does the authentication and pumps out the requested file - same affect as using mod_rewrite without actually using mod_rewrite. Is there any other way to password protect a directory with PHP? I'd even entertain the idea of using HTTP Auth if I could get PHP to 'login'. For instance, the user logs in at another page in the site, and then during the login process, PHP sets the HTTP Auth password so when the files in the directory are accessed, the user has already been logged in. Any suggestions would be great, I can't find anything else online. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password Protect Directory
Well, you could try to edit each PHP file and add a piece of login code at top, but if the directory will also contain images (which need a password to access), it would not be possible that way. Tijnema On 3/4/07, Jason Karns [EMAIL PROTECTED] wrote: I'm trying to find a way to password protect a directory. I currently have an authentication and authorization system in place for pages in my directory. I'd prefer to use my existing system somehow (as it includes OpenID authentication) as opposed to using htaccess and HTTP Auth. The only idea of found is to use mod_rewrite to have a PHP script serve up all the files in the particular directory and have the authentication handled in this script. This just seems a little 'hackish' to me. Is there any other way to password protect a directory with PHP? I'd even entertain the idea of using HTTP Auth if I could get PHP to 'login'. For instance, the user logs in at another page in the site, and then during the login process, PHP sets the HTTP Auth password so when the files in the directory are accessed, the user has already been logged in. Any suggestions would be great, I can't find anything else online.
RE: [PHP]Password and FTP Folder
-Original Message- From: Helder Lopes [mailto:[EMAIL PROTECTED] Sent: Thursday, February 15, 2007 5:32 AM To: php-general@lists.php.net Subject: [PHP]Password and FTP Folder Hi people hi have a problem i need a script for make a ftp folder that have a password for enter Have anyway to do this?? /mrpostiga you can upload .htaccess and .htpasswd files via FTP and password protect it. If you do a search for password protect htaccess you should find a lot of tutorials on how to create the .htaccess file and generate user/password combinations for the .htpasswd file. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password protecting files, only allowing authorized users
This is impossible with only PHP. You might need a combination of PHP and AJAX [Javascript]. On 1/11/07, Dave [EMAIL PROTECTED] wrote: Hello, I'm using php and apache2 on a freebsd box. I know about .htaccess that the web server can provide, but i'm looking for something php can do, i want it to pop up a page when a user requests certain files, asking for a username and password. If those are valid the user is taken to a page where the files requested can be downloaded. I'd rather not use a mysql database and keep this user information in a flat file, as what i am trying to do is on a small scale. I am also interested in blocking direct access to the files, for instance if someone puts in their direct url they should not be retrievable, but instead php should give an error msg. Any help appreciated. Thanks. Dave. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password protecting files, only allowing authorized users
Dave wrote: Hello, I'm using php and apache2 on a freebsd box. I know about .htaccess that the web server can provide, but i'm looking for something php can do, i want it to pop up a page when a user requests certain files, asking for a username and password. http://www.php.net/features.http-auth has some nice examples, though the popup is the same as using htaccess. I am also interested in blocking direct access to the files, for instance if someone puts in their direct url they should not be retrievable, but instead php should give an error msg. If it's in a publicly accessible folder and only a php file to protect it, it won't work. Put the files in a non-public folder (outside the webroot) and get php to pipe them in. http://php.net/readfile or http://php.net/fpassthru will work for small files. For larger files you will need to use http://php.net/fread (specifically the loop example) so you don't blow out memory. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password encryption and password retrieval
Hi, Thank you every one for responding to my mail and giving valuable comments and suggestions for it. Thanx, ..Deeps.. --- Deep [EMAIL PROTECTED] wrote: Hi evryone, I want to implement a site where i would like to encrypt the password of the users and store it into mysql database. My question is that , In case if the user has forgotten the password how can he retrieve the password(which is already encrypted and stored...the user should be able to get the decrypted password). Also which encryption method would you recommend. ie. md5,crypt, etc Thanx, ..Deeps.. Yahoo! India Matrimony: Find your life partner online Go to: http://yahoo.shaadi.com/india-matrimony -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Yahoo! India Matrimony: Find your life partner online Go to: http://yahoo.shaadi.com/india-matrimony -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password encryption and password retrieval
Hi You are doing the right thing storing passwords encrypted! You may use any of the one way digest like secure hash 1 (sha1) or md5 or a combination to generate a hash. In case your user forgets his password, there is no way to reconstruct it. You need to provide an interface where the user can enter their email and the script sends a message to the user with a token. Afterwards, this token is used as one time password to login and change the password. Regards Andy -- Registered Linux User Number 379093 -- --BEGIN GEEK CODE BLOCK- Version: 3.1 GAT/O/E$ d-(---)+ s:(+): a--(-)? C$(+++) UL$ P-(+)++ L+++$ E---(-)@ W++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++) PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+) e$@ h++(*) r--++ y--() -- ---END GEEK CODE BLOCK-- -- Check out these few php utilities that I released under the GPL2 and that are meant for use with a php cli binary: http://www.vlaamse-kern.com/sas/ -- -- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password encryption and password retrieval
I want to implement a site where i would like to encrypt the password of the users and store it into mysql database. My question is that , In case if the user has forgotten the password how can he retrieve the password(which is already encrypted and stored...the user should be able to get the decrypted password). Once encrypted that's it. The user can't get it back. Best thing is to ask them to verify additional information and then send a randomly generated passwort to the email address *you* have on file for that user. They can then change it when they login. Also which encryption method would you recommend. ie. md5,crypt, etc of those two, md5. search the net for discussions about md5 vs sha1... -philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password encryption and password retrieval
On Tuesday 10 May 2005 16:05, Deep wrote: Hi evryone, I want to implement a site where i would like to encrypt the password of the users and store it into mysql database. My question is that , In case if the user has forgotten the password how can he retrieve the password(which is already encrypted and stored...the user should be able to get the decrypted password). The user won't be able to retrieve it's password if you want your application to be secure. The best practice is to flush the password and let the user reactivate it's account by providing him a temporary password. Also which encryption method would you recommend. ie. md5,crypt, etc Thanx, ..Deeps.. Yahoo! India Matrimony: Find your life partner online Go to: http://yahoo.shaadi.com/india-matrimony -- Cyberly yours, Petar Nedyalkov Devoted Orbitel Fan :-) PGP ID: 7AE45436 PGP Public Key: http://bu.orbitel.bg/pgp/bu.asc PGP Fingerprint: 7923 8D52 B145 02E8 6F63 8BDA 2D3F 7C0B 7AE4 5436 pgpkngZA6f5uq.pgp Description: PGP signature
Re: [PHP] Password expiration script
im sure it cant be that hard to write: when user logs in check the last date their password was set. if 30 days then prompt to connect and dont allow user to do anything else until password has been changed and new expiry date is set (which will now be less than 30 days) use an include for it and if there is an error (ie logged in but havent changed password) redirect to an error page hopefully this will get you going. Angelo Bosky, Dave wrote: I'm looking for a script that would require a user to change their password every 30 days. Does anyone use a script that has functionality similar to what I'm looking for? Thanks, Dave HTC Disclaimer: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. -- Angelo Zanetti Z Logic [c] +27 72 441 3355 [t] +27 21 464 1363 [f] +27 21 464 1371 www.zlogic.co.za -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password expiration script
Theres instant2c pro at securecents.com, but that might be like using a tank to kill a fly :-D On 3/31/2005 11:18:31 AM, Bosky, Dave ([EMAIL PROTECTED]) wrote: --_=_NextPart_001_01C53626.6CCF76C0 Content-Type: text/plain I'm looking for a script that would require a user to change their password every 30 days. Does anyone use a script that has functionality similar to what I'm looking for? Thanks, Dave HTC Disclaimer: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. --_=_NextPart_001_01C53626.6CCF76C0-- -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.8.6 - Release Date: 3/30/2005 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password expiration script
On Thu, 31 Mar 2005 14:18:31 -0500, Bosky, Dave [EMAIL PROTECTED] wrote: I'm looking for a script that would require a user to change their password every 30 days. Does anyone use a script that has functionality similar to what I'm looking for? Thanks, Dave I got do it so using a DBquery $sql = 'SELECT TO_DAYS(NOW()) - TO_DAYS(\''.$last_pass_chg.'\');'; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password Boxes
Richard Lynch [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Does anyone know how to change the style of password boxes so when the characters are entered an asterisk appears rather that a smal circle? Or is this just determed by the OS and uncangable with CSS or Javascript of PHP? They are certainly NOT changeable with PHP. I doubt that JavaScript holds the answer either. I don't know much about JavaScript or VBScript, but I believe there is an action called OnKeyPress or something to that effect. If that's there, writing a function that accepts the key pressed and replace it with another character, while the original pressed character is stored in a shadow array? Like I said.. have no clue, if this is possible, but that is what I would try You might, however, find an HTML ATTRIBUTE supported by some browsers that allows you to change the character used. I doubt it, but it's possible. If it is possible, presumably CSS allows you to change the attribute as well, though you never know for sure with CSS... For sure, whatever you do find, it ain't something that's standard across all browsers. But you may only care about the one browser that uses the small circles anyway. Why in the world do you WANT to change it? [puzzled] -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password Boxes
On 14 Mar 2005 Ross Hulford wrote: Does anyone know how to change the style of password boxes so when the characters are entered an asterisk appears rather that a smal circle? It is determined by the browser and OS. I presume you are talking about Windows XP, which is where I see that behavior. You might try use a CSS entry or style= to change the font for the input box to Courier and see if it behaves differently. -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password Boxes
On Mon, 14 Mar 2005 08:37:04 -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On 14 Mar 2005 Ross Hulford wrote: Does anyone know how to change the style of password boxes so when the characters are entered an asterisk appears rather that a smal circle? It is determined by the browser and OS. I presume you are talking about Windows XP, which is where I see that behavior. You might try use a CSS entry or style= to change the font for the input box to Courier and see if it behaves differently. -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php change input type='text' name='name'/ To: input type='password' name='name' This is an HTML related question, not php (or even javascript). Next time try google. Dotan Cohen http://English-Lyrics.com http://Song-Lyriks.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password Boxes
Dotan Cohen wrote: On Mon, 14 Mar 2005 08:37:04 -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On 14 Mar 2005 Ross Hulford wrote: Does anyone know how to change the style of password boxes so when the characters are entered an asterisk appears rather that a smal circle? It is determined by the browser and OS. I presume you are talking about Windows XP, which is where I see that behavior. You might try use a CSS entry or style= to change the font for the input box to Courier and see if it behaves differently. -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php change input type='text' name='name'/ To: input type='password' name='name' This is an HTML related question, not php (or even javascript). Next time try google. yeah ... but next time read the question before you answer ;-) the guy was wondering how to change which character was used as the mask in password fields - normally its an asterisk, if you use WinXP with the std. wibbly-wobbly-blue-bubble-wrap theme it shows a small (filled) circle instead... earth-shattering. :-) Dotan Cohen http://English-Lyrics.com http://Song-Lyriks.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password Boxes
On 14 Mar 2005 Dotan Cohen wrote: change input type='text' name='name'/ To: input type='password' name='name' This does not address the question. The OP saw small dots in the password display, he wanted asterisks. That is not because he was using type='text' but because he was already using type='password' and the browser had a particular way of displaying characters in such fields, which he wanted to change. This is an HTML related question, not php (or even javascript). Next time try google. Really it is a browser implementation question, not even HTML. But in any case, I am not the person who asked the question. You may want to direct your advice to them. People get confused all the time about what is happening on the server side and what is on the client side. This poster asked specifically whether the issue could be addressed in PHP or was (in his terms) an OS issue. I don't think knowing the answer to that question is a prerequisite for posting here. -- Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password Boxes
Does anyone know how to change the style of password boxes so when the characters are entered an asterisk appears rather that a smal circle? Or is this just determed by the OS and uncangable with CSS or Javascript of PHP? They are certainly NOT changeable with PHP. I doubt that JavaScript holds the answer either. You might, however, find an HTML ATTRIBUTE supported by some browsers that allows you to change the character used. I doubt it, but it's possible. If it is possible, presumably CSS allows you to change the attribute as well, though you never know for sure with CSS... For sure, whatever you do find, it ain't something that's standard across all browsers. But you may only care about the one browser that uses the small circles anyway. Why in the world do you WANT to change it? [puzzled] -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password Boxes
On Mon, 14 Mar 2005 16:25:32 +0100, Jochem Maas [EMAIL PROTECTED] wrote: yeah ... but next time read the question before you answer ;-) the guy was wondering how to change which character was used as the mask in password fields - normally its an asterisk, if you use WinXP with the std. wibbly-wobbly-blue-bubble-wrap theme it shows a small (filled) circle instead... earth-shattering. :-) I stand corrected! As a Fedora user, I have never seen those circles, so I did fully understand the question. And, being OT, maybe a personal email to the OP would have been better, but for the archives I opted to answer on-list. Would I be cynical if I suggested a different solution to the problem? http://www.mozilla.org/products/firefox/ Dotan Cohen http://English-Lyrics.com http://Song-Lyriks.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password Boxes
Dotan Cohen wrote: On Mon, 14 Mar 2005 16:25:32 +0100, Jochem Maas [EMAIL PROTECTED] wrote: yeah ... but next time read the question before you answer ;-) the guy was wondering how to change which character was used as the mask in password fields - normally its an asterisk, if you use WinXP with the std. wibbly-wobbly-blue-bubble-wrap theme it shows a small (filled) circle instead... earth-shattering. :-) I stand corrected! As a Fedora user, I have never seen those circles, so I did fully understand the question. And, being OT, maybe a personal email to the OP would have been better, but for the archives I opted to answer on-list. cool. Would I be cynical if I suggested a different solution to the problem? http://www.mozilla.org/products/firefox/ that's anything but cynical :-) besides if you are developing web stuff you probably should be running a number of diff. browsers regulary? Dotan Cohen http://English-Lyrics.com http://Song-Lyriks.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password case sensitive
OK. I changed to hashed passwords in now they are case sensitive. Thanks. -Will Richard Lynch [EMAIL PROTECTED] kirjoitti viestissä:[EMAIL PROTECTED] William Stokes wrote: I got my little user authentication to work but now I would like to know how to make and check the (upper/lower) case in password. To put it simple. I want users password to be case sensitive. The default compile settings for MySQL are case-insensitive. Usually, one stores some kind of hash of a password, not a password itself. Since the hash comes out quite differently for upper/lower case, that usually takes care of case sensitivity. Actually, I went the other route and forced all passwords to lowercase before hashing, because my users were, errr, technically-challenged, and case sensitivity was too complicated an issue. Yes, really. Been there. Anyway, if you are storing the password in plain text (not hashed) and want case sensitivity, there's probably a MySQL function to compare case sensitive. http://mysql.com search engine would find it. If not, an ugly hack that will almost for sure work, would be: $query = select md5('$password') = md5(password) ... ; Here, instead of letting MySQL compare the two text strings case-insensitive, you are doing an MD5 hash on each first, which will result in wildly different values, and then comparing those (case-insensitive). There is a one in 2 billion chance that somebody could find an input ('foo') that is not at all related to the actual password ('bar') and bypass your password that way... If that concerns you, then do: $query = select md5('$password') = md5(password) and '$password' = password ...; I don't think there's any chance at all of two passwords with only case difference having the same MD5 hash... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password case sensitive
William Stokes wrote: Hello, I got my little user authentication to work but now I would like to know how to make and check the (upper/lower) case in password. To put it simple. I want users password to be case sensitive. The authentication checks for returned number of rows from DB. If there is one matching row the user is authenticated ok. Is it possible to check the case sensitiviness in this kind of authentication or do I need to do this differently. you need to do something like username='$sanitizedUserName' in your SQL... you also need to enter the usernames in the DB case-sensitive you also might need to make sure that you are using a case-sensitive collation order in your query. why not add 2 users to the DB and test to see what happens?: usernameuserpwd Willtest2 willtest1 Thanks -Will -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password case sensitive
William Stokes wrote: I got my little user authentication to work but now I would like to know how to make and check the (upper/lower) case in password. To put it simple. I want users password to be case sensitive. The default compile settings for MySQL are case-insensitive. Usually, one stores some kind of hash of a password, not a password itself. Since the hash comes out quite differently for upper/lower case, that usually takes care of case sensitivity. Actually, I went the other route and forced all passwords to lowercase before hashing, because my users were, errr, technically-challenged, and case sensitivity was too complicated an issue. Yes, really. Been there. Anyway, if you are storing the password in plain text (not hashed) and want case sensitivity, there's probably a MySQL function to compare case sensitive. http://mysql.com search engine would find it. If not, an ugly hack that will almost for sure work, would be: $query = select md5('$password') = md5(password) ... ; Here, instead of letting MySQL compare the two text strings case-insensitive, you are doing an MD5 hash on each first, which will result in wildly different values, and then comparing those (case-insensitive). There is a one in 2 billion chance that somebody could find an input ('foo') that is not at all related to the actual password ('bar') and bypass your password that way... If that concerns you, then do: $query = select md5('$password') = md5(password) and '$password' = password ...; I don't think there's any chance at all of two passwords with only case difference having the same MD5 hash... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password Protection] -- My solution
Mailit, LLC a écrit : $userName = $_POST[userName]; $passw= $_POST[passw]; (...) $cmd = SELECT * FROM theTable . WHERE userName='$userName' ; $res = mysql_query( $cmd ) or die( Password search failed. ); Without validating userName in $_POST, that code is vulnerable to SQL injection, by example if userName starts by a single quote... See the PHP Security Guide on 'SQL Injection' http://phpsec.org/projects/guide/3.html#3.2 $passe = crypt( $passw, $rec[ePass] ); if( $passe == $rec[ePass] ) I seems that the above vulnerability cant be exploited, but I think it's better to be aware of it. Christophe -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password Protection] -- My solution
---BeginMessage--- Here is the setup that I have used. Please, adapt to your needs. Table 'theTable' is supposed to contain columns fname, mname, lname and ePass (encrypted password). The crypt() function produces a password that cannot be decrypted and really works well. Of course, you need to use crypt() in the PHP script that creates a row in 'theTable'. ?php #-- code starts here -# $action = $_POST[action]; if( !empty( $action ) ) { $userName = $_POST[userName]; $passw= $_POST[passw]; # Bring the encrypted password and creation date from database: $cmd = SELECT * FROM theTable . WHERE userName='$userName' ; $res = mysql_query( $cmd ) or die( Password search failed. ); $numRows = mysql_num_rows( $res ); if( $numRows == 0 ) { print( $userName not a valid user name.BR ); exit; } $rec = mysql_fetch_array( $res ); $privLevel = $rec[level]; $nome = $rec[fname]. .$rec[mname]. .$rec[lname]; # Encrypt the password: $passe = crypt( $passw, $rec[ePass] ); if( $passe == $rec[ePass] ) { /* Bring up the home page */ print( h2WELCOME TO MY HOME PAGE/h2 ); exit; } else { $retry = 1; } } if( $retry ) print(brh3Incorrect Login - Please, try again./h3br); ? FORM ACTION=? print( $_SERVER[PHP_SELF] ); ? METHOD=POST INPUT TYPE=hidden NAME=action VALUE=login table align=center tr td BUser Name :/B /tdtd INPUT TYPE=text NAME=userName SIZE=20 /td /trtr td BPassword :/B /tdtd INPUT TYPE=password NAME=passw SIZE=20 /td /tr /table br P align=center INPUT TYPE=submit VALUE=Login STYLE=width:120;height:25 /P /FORM !-- - code ends here -- Mario Kevin Javia wrote: I am experimenting on my site and I want to make it password protected like www.realsolution.com. If any one enters correct user name and password, only then they will be able to enter into my site. How can I do that in PHP? Any ideas? Thanks a ton in advance. ---End Message--- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password Protection
On Wed, 2005-02-16 at 21:31, Kevin Javia wrote: I am experimenting on my site and I want to make it password protected like www.realsolution.com. If any one enters correct user name and password, only then they will be able to enter into my site. How can I do that in PHP? Any ideas? Thanks a ton in advance. Chances are this is not a php thing at all but uses the webserver's authentication infrastructure. It depends on the server being used. The apache manual has a very good write up on authentication options available: See if this gets you started: http://httpd.apache.org/docs-2.0/howto/auth.html Bret -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password Protection
Kevin Javia wrote: I am experimenting on my site and I want to make it password protected like www.realsolution.com. http://www.zend.com/zend/tut/authentication.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password Protection
Kevin, I'm having some issues with my email client right now so I'm sorry if you've already found the answer. There is a way for PHP to do this without the need to modify your web server's configuration or bothering with .htaccess/ .htpasswd files by simply modifying the http headers that your pages produce. I'm not about to try to give you a working example as the fine folks at phpmyadmin have already done this in the form of an authentication library. If you have phpMyAdmin installed look in the libraries/auth directory for a file called http.auth.lib.php. If not you can get it from www.phpmyadmin.net Like I said, it is in library form so you can use it in your program as well (be sure to give credit per the GPL) but I haven't done so, so I'm not sure how much modification might be needed. Cheers! Bret Hughes wrote: On Wed, 2005-02-16 at 21:31, Kevin Javia wrote: I am experimenting on my site and I want to make it password protected like www.realsolution.com. If any one enters correct user name and password, only then they will be able to enter into my site. How can I do that in PHP? Any ideas? Thanks a ton in advance. Chances are this is not a php thing at all but uses the webserver's authentication infrastructure. It depends on the server being used. The apache manual has a very good write up on authentication options available: See if this gets you started: http://httpd.apache.org/docs-2.0/howto/auth.html Bret
Re: [PHP] password-protecting with PHP, help plz
Thanks for the input, but unfortunately I have no idea how to do that, though I do have a MySQL server for my site. I'm still trying to learn basic PHP, I haven't moved on to PHP and MySQL connections and stuff yet. -Andrew
RE: [PHP] password-protecting with PHP, help plz
Hi, Thanks for the input, but unfortunately I have no idea how to do that, though I do have a MySQL server for my site. I'm still trying to learn basic PHP, I haven't moved on to PHP and MySQL connections and stuff yet. If you're talking about authentication, there are two methods. htaccess at the OS level (linux/unix), using Windows IIS to set a password on a directory or fiels, or you can utilize Sessions. What exactly are you trying to accomplish? -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password-protecting with PHP, help plz
And after that - go and try to find out a little on your own - contrary to a common misconception, it's not the sole purpose of members of this list to write all your code for you. The old favourites RTFM and STFW would serve you well here - there are thousands of PHP tutorials that will tell you how to write complex if statements, and the PHP Manual has an entire section devoted to handling authentication with PHP here: http://uk.php.net/manual/en/features.http-auth.php Hope this helps Cheers Chris John Nichel wrote: Burhan Khalid wrote: [snip] And here is the action page, testing2.php. if ($_POST['user'] == 'Andrew') ($_POST['pass'] == 'pass') { echo Welcome, Andrew.; } And (shocker!) I got a blank page. So I turned out display errors and got this: Parse error: syntax error, unexpected T_BOOLEAN_AND in c:\TSW\pages\testing2.php on line 3 PLEASE ... read the manual on basic syntax. And read here too. http://us4.php.net/manual/en/language.control-structures.php#control-structures.if -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password-protecting with PHP, help plz
[snip] And here is the action page, testing2.php. if ($_POST['user'] == 'Andrew') ($_POST['pass'] == 'pass') { echo Welcome, Andrew.; } And (shocker!) I got a blank page. So I turned out display errors and got this: Parse error: syntax error, unexpected T_BOOLEAN_AND in c:\TSW\pages\testing2.php on line 3 PLEASE ... read the manual on basic syntax. Line 3 being the line with the stuff. I'm not sure if the whole thing is right...obviously not. How do I password protect with more than one factor? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password-protecting with PHP, help plz
Burhan Khalid wrote: [snip] And here is the action page, testing2.php. if ($_POST['user'] == 'Andrew') ($_POST['pass'] == 'pass') { echo Welcome, Andrew.; } And (shocker!) I got a blank page. So I turned out display errors and got this: Parse error: syntax error, unexpected T_BOOLEAN_AND in c:\TSW\pages\testing2.php on line 3 PLEASE ... read the manual on basic syntax. And read here too. http://us4.php.net/manual/en/language.control-structures.php#control-structures.if -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password-protecting with PHP, help plz
* Thus wrote [EMAIL PROTECTED]: This page shows up ok, with the form generating just fine. The problem is when I get to the action page, testing2.php. Here is that: ?php if ($_POST['user']) == me { echo it's me!; } else { echo not me; ? You have a parse error, no ending } You should turn display_errors on in your php.ini and restart the webserver. Curt -- The above comments may offend you. flame at will. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password-protecting with PHP, help plz
On Sunday 19 September 2004 21:47, [EMAIL PROTECTED] wrote: I'm trying to password protect a page with PHP, using forms and $_POST data and all that stuff. I strongly suggest you search out a few tutorials on this subject. google php authentication tutorial would be a good start. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* The chain which can be yanked is not the eternal chain. -- G. Fitch */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password-protecting with PHP, help plz
I appreciate the help, but unfortunately it still doesn't work. I changed testing2.php, the action page to do this: ?php if ($_POST['user']) == me { echo Andrew; } else { echo not me; } ? I still get a blank page. What's more I turned on Display Errors and restarted the server, but still got no error message. I don't know what the problem is, maybe there is something wrong with my comparison? -Andrew
Re: [PHP] password-protecting with PHP, help plz
[EMAIL PROTECTED] wrote: I appreciate the help, but unfortunately it still doesn't work. I changed testing2.php, the action page to do this: ?php if ($_POST['user']) == me { echo Andrew; } else { echo not me; } ? I still get a blank page. What's more I turned on Display Errors and restarted the server, but still got no error message. Your errors are still not displaying. Recheck display errors and error_reporting. Your line with the if statement is generating a parse error. You have an = sign that PHP is sure to complain about. Janet -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password-protecting with PHP, help plz
You were right, my display_error function was turned off. I turned it on and get this: Parse error: syntax error, unexpected T_IS_EQUAL in c:\TSW\pages\testing2.php on line 3 So it isn't working. How do I get to let me make comparisons between the post data and something else? I figure if I can get it so that this will work, it'll be an easy way to password protect my pages... -Andrew
Re: [PHP] password-protecting with PHP, help plz
[EMAIL PROTECTED] wrote: You were right, my display_error function was turned off. I turned it on and get this: Parse error: syntax error, unexpected T_IS_EQUAL in c:\TSW\pages\testing2.php on line 3 So it isn't working. How do I get to let me make comparisons between the post data and something else? I figure if I can get it so that this will work, it'll be an easy way to password protect my pages... -Andrew The syntax is: if (comparison){ You have: if ($_POST['user']) == me { Part of your comparison is not inside the parentheses. You need to have: if ($_POST['user'] == me) { Also, your string isn't quoted. That's not causing the parse error in this message, but will cause a problem after you fix your parentheses. (e.g., me). Janet -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password-protecting with PHP, help plz
Try this. Add it to the very beginning. ?php if(!isset($PHP_AUTH_USER)){ header( WWW-Authenticate: Basic realm=\Are you allowed?\); header( HTTP/1.0 401 Unauthorized); echo Consult your teacher to have a valid login ID and password to access this page!\n; exit; }else{ if ( ( ($PHP_AUTH_USER == john) ( $PHP_AUTH_PW == english )) || ( ($PHP_AUTH_USER == eric) ( $PHP_AUTH_PW == english )) ) { #echo you are in; ? [EMAIL PROTECTED] wrote: You were right, my display_error function was turned off. I turned it on and get this: Parse error: syntax error, unexpected T_IS_EQUAL in c:\TSW\pages\testing2.php on line 3 So it isn't working. How do I get to let me make comparisons between the post data and something else? I figure if I can get it so that this will work, it'll be an easy way to password protect my pages... -Andrew -- John Taylor-Johnston - If it's not open-source, it's Murphy's Law. ' ' 'Collège de Sherbrooke: ô¿ô http://www.collegesherbrooke.qc.ca/languesmodernes/ - 819-569-2064 °v° Bibliography of Comparative Studies in Canadian, Québec and Foreign Literatures /(_)\ Université de Sherbrooke ^ ^ http://compcanlit.ca/ T: 819.569.2064 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password-protecting with PHP, help plz
Now moving on to using password protecting with more than one factor. I'm trying to figure out how to password protect with more than two factors: username and password. Here's the form: ?php echo _HTML_ form method=post action=http://www.thesonicworld.net/pages/testing2.php; Username: input type=text name=userbr form method=post action=http://www.thesonicworld.net/pages/testing2.php; Password: input type=text name=pass br centerinput type=submit value=Log In/center /form _HTML_; ? And here is the action page, testing2.php. if ($_POST['user'] == 'Andrew') ($_POST['pass'] == 'pass') { echo Welcome, Andrew.; } And (shocker!) I got a blank page. So I turned out display errors and got this: Parse error: syntax error, unexpected T_BOOLEAN_AND in c:\TSW\pages\testing2.php on line 3 Line 3 being the line with the stuff. I'm not sure if the whole thing is right...obviously not. How do I password protect with more than one factor? -Andrew
Re: [PHP] password-protecting with PHP, help plz
Parse error: syntax error, unexpected T_BOOLEAN_AND in c:\TSW\pages\testing2.php on line 3 My code should do what you want? It uses authenticate? Any how :) I think you are missing acouple of brackets? if ( ($_POST['user'] == 'Andrew') ($_POST['pass'] == 'pass') ) { echo Welcome, Andrew.; } [EMAIL PROTECTED] wrote: Now moving on to using password protecting with more than one factor. I'm trying to figure out how to password protect with more than two factors: username and password. Here's the form: ?php echo _HTML_ form method=post action=http://www.thesonicworld.net/pages/testing2.php; Username: input type=text name=userbr form method=post action=http://www.thesonicworld.net/pages/testing2.php; Password: input type=text name=pass br centerinput type=submit value=Log In/center /form _HTML_; ? And here is the action page, testing2.php. if ($_POST['user'] == 'Andrew') ($_POST['pass'] == 'pass') { echo Welcome, Andrew.; } And (shocker!) I got a blank page. So I turned out display errors and got this: Parse error: syntax error, unexpected T_BOOLEAN_AND in c:\TSW\pages\testing2.php on line 3 Line 3 being the line with the stuff. I'm not sure if the whole thing is right...obviously not. How do I password protect with more than one factor? -Andrew John -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password encyption
You could use Turck to convert the file to byte code. Not exactly state of the art security as Turck does not have any encryption itself, but definately a better option than plain text. - Sid On Fri, 2 Jul 2004 22:32:24 -0400 (EDT), Michal Migurski [EMAIL PROTECTED] wrote: I realize the key needs to be stored somewhere which is part of the problem of how to make it a bit more secure. I just don't feel safe if a password in a flat file in clear text. Ideally the database should support something like an ssh style public/private Key auth where the private Key is stored internally to the database. Where would you store the passphrase to the key? This is a losing battle - at some point, anonymous requests from the outside world are going to have to result in some kind of access to the database. I think you'd be better off accepting the inherent security tradeoffs as a known variable, and working from there: write your code so it's not vulnerable to SQL injection or other attacks, limit the access permissions of the database user, put the file containing the password someplace where the webserver won't divulge its content (apache config or .htaccess is a personal favorite of mine), and (important!) back up your DB regularly so that you can recover from attacks cleanly. -mike. - michal migurski- contact info and pgp key: sf/cahttp://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Password encyption
[snip] But has anyone done something like encypting that password rather than leaving it in plan text. [/snip] Yes. Happy Independence Day! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password encyption
Anzak Wolf wrote: Call me paranoid but I think I would rather play the little bit in overhead to decypt the password to give myself a slightly safer feel about my database password. Paranoid. And where do you plan on keeping the key to decrypt the password? In another file? How are you going to protect that file? Paranoid. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password encyption
I realize the key needs to be stored somewhere which is part of the problem of how to make it a bit more secure. I just don't feel safe if a password in a flat file in clear text. Ideally the database should support something like an ssh style public/private Key auth where the private Key is stored internally to the database. Though I don't know if any databases out there actaully do that or if it would be worth the time to set up and learn for me. _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Password encyption
[snip] I realize the key needs to be stored somewhere which is part of the problem of how to make it a bit more secure. I just don't feel safe if a password in a flat file in clear text. Ideally the database should support something like an ssh style public/private Key auth where the private Key is stored internally to the database. Though I don't know if any databases out there actaully do that or if it would be worth the time to set up and learn for me. [/snip] Have you aactually checked the documentation of your database? It may be quite simple. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Password encyption
gt;[snip] gt;I realize the key needs to be stored somewhere which is part of the gt;problem of how to make it a bit more secure. I just don't feel safe if gt;a password in a flat file in clear text. Ideally the database should gt;support something gt;like an ssh style public/private Key auth where the private Key is gt;stored internally to the database. Though I don't know if any databases gt;out there actaully do that or if it would be worth the time to set up gt;and learn for gt;me. gt;[/snip] gt; gt;Have you aactually checked the documentation of your database? It may be gt;quite simple. gt; Yes I have looked though since I'm not 100% sure what I'm looking for it is hard to come up with a solid answer. I'm just looking for a more secure way to connect to my database through PHP and was hoping to find some suggestions here, not get the run around. _ Check out the latest news, polls and tools in the MSN 2004 Election Guide! http://special.msn.com/msn/election2004.armx -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Password encyption
So host your own server. That way nobody but you has access to it. Then you could store the password wherever you want, unecrypted, and it wouldn't matter. If you're running an application that's that security conscious, you shouldn't be using a shared server anyway. -Original Message- From: Anzak Wolf [mailto:[EMAIL PROTECTED] Sent: Friday, July 02, 2004 1:24 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Password encyption Yes I have looked though since I'm not 100% sure what I'm looking for it is hard to come up with a solid answer. I'm just looking for a more secure way to connect to my database through PHP and was hoping to find some suggestions here, not get the run around. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Password encyption
So host your own server. That way nobody but you has access to it. Then you could store the password wherever you want, unecrypted, and it wouldn't matter. If you're running an application that's that security conscious, you shouldn't be using a shared server anyway. -Original Message- From: Anzak Wolf [mailto:[EMAIL PROTECTED] Sent: Friday, July 02, 2004 1:24 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Password encyption Yes I have looked though since I'm not 100% sure what I'm looking for it is hard to come up with a solid answer. I'm just looking for a more secure way to connect to my database through PHP and was hoping to find some suggestions here, not get the run around. Bob does make a good point. If you don't run your own server, you might want to see other options about running your site. If you do run your own server, maybe store the passwd as an MD5 hash on the web page that sends it to a script outside your web root. If the MD5 hashes match, return the passwd back to the web page. --Matthew Sims --http://killermookie.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Password encyption
gt;So host your own server. That way nobody but you has access to it. gt;Then you could store the password wherever you want, unecrypted, and it gt;wouldn't matter. If you're running an application that's that security gt;conscious, you shouldn't be using a shared server anyway. I do run my own server but I know for a fact that even if I harden the server as much as I can there is a chance that someone could gain access to that server. While once they have root on the box they pretty much can do as they like, and my app really does not have a huge security requirement, this is a learning processes for me and I'm always looking for a better/more secure way to do things. _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Password encyption
Well that's a whole different thing, then. -Original Message- From: Anzak Wolf [mailto:[EMAIL PROTECTED] Sent: Friday, July 02, 2004 1:40 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Password encyption I do run my own server but I know for a fact that even if I harden the server as much as I can there is a chance that someone could gain access to that server. While once they have root on the box they pretty much can do as they like, and my app really does not have a huge security requirement, this is a learning processes for me and I'm always looking for a better/more secure way to do things. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password encyption
I realize the key needs to be stored somewhere which is part of the problem of how to make it a bit more secure. I just don't feel safe if a password in a flat file in clear text. Ideally the database should support something like an ssh style public/private Key auth where the private Key is stored internally to the database. Where would you store the passphrase to the key? This is a losing battle - at some point, anonymous requests from the outside world are going to have to result in some kind of access to the database. I think you'd be better off accepting the inherent security tradeoffs as a known variable, and working from there: write your code so it's not vulnerable to SQL injection or other attacks, limit the access permissions of the database user, put the file containing the password someplace where the webserver won't divulge its content (apache config or .htaccess is a personal favorite of mine), and (important!) back up your DB regularly so that you can recover from attacks cleanly. -mike. - michal migurski- contact info and pgp key: sf/cahttp://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password protected downloads
Maldiv wrote: Hello, hi I want to make a password protected download possibility on my site. I know how can I handle normal user login, but how can I protect a download from guests? This question has been often asked in the past, the archives are rich with solutions. One solution is NOT to create a direct download link but to deliver the file via a php script (fpassthru) that can check login status. Another is to use .htpasswd protection you will find lots of details in the archives. -- Raditha Dissanayake. - http://www.raditha.com/megaupload/upload.php Sneak past the PHP file upload limits. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] password protect a pdf
I'm trying to password protect an online PDF file. I know how to use PHP to pw protect a webpage, but what would be the best way to protect access to a nonwebpage file? Stick it in its own directory and use htaccess... Or password-protect it when you generate it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password protect a pdf
Thanks, that worked great. I found this for anyone else like me new to htaccess: http://www.htmlbasix.com/passwordprotect.shtml works great. matt Roger B.A. Klorese [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I'm trying to password protect an online PDF file. I know how to use PHP to pw protect a webpage, but what would be the best way to protect access to a nonwebpage file? Stick it in its own directory and use htaccess... Or password-protect it when you generate it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] password protect a pdf
Check out the header function... You can use a mysql (or whatever) db for authentication, read the file from a protected directory, then spit it out to the browser. The code should look a bit like this: // headers header (Content-Disposition: filename=yourfile.pdf); header (Content-type: application/pdf); // grab the template file $filename=yourfile.pdf; $fp=fopen($filename, r); //read our template into a variable $output=fread($fp,filesize($filename)); fclose($fp); // send the data to the browser echo $output; Hope that helps... -- jon --- jon roig web developer email: [EMAIL PROTECTED] phone: 888.230.7557 -Original Message- From: Roger B.A. Klorese [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 24, 2004 5:01 PM To: 'Matt Hedges'; [EMAIL PROTECTED] Subject: RE: [PHP] password protect a pdf I'm trying to password protect an online PDF file. I know how to use PHP to pw protect a webpage, but what would be the best way to protect access to a nonwebpage file? Stick it in its own directory and use htaccess... Or password-protect it when you generate it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.593 / Virus Database: 376 - Release Date: 2/20/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.593 / Virus Database: 376 - Release Date: 2/20/2004 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Password in LDAP with php
You can do this in PHP. Check this: http://us4.php.net/manual/en/ref.ldap.php I wrote a form in PHP to add users to LDAP, change passwords etc. Check this https://www.cuddapahonline.net/ldap/ I can send the forms if you want. From: Bc. Radek Kreja Sent: Mon 1/5/2004 10:30 AM To: [EMAIL PROTECTED] Subject: [PHP] Password in LDAP with php Hello, I need to set up password for user in LDAP. From command line is not problem to set up pass with ldappass, but is some function or method in PHP? -- Regards, Bc. Radek Kreja Starnet, s. r. o. [EMAIL PROTECTED] http://www.ceskedomeny.cz http://www.skdomeny.com http://www.starnet.cz ICQ: 65895541 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password in LDAP with php
On Mon, Jan 05, 2004 at 10:45:58AM -0500, Chakravarthy Cuddapah wrote: You can do this in PHP. Check this: http://us4.php.net/manual/en/ref.ldap.php I wrote a form in PHP to add users to LDAP, change passwords etc. Check this https://www.cuddapahonline.net/ldap/ I can send the forms if you want. I'm also planning to commit to PHP a new function that uses the LDAP control specificed in RFC 3062 for changing passwords. I have some code that might work... The point is that instead of updating the userPassword attribute, doing your own hashing etc. you just give the LDAP server the old and new password in clear text. This is very useful in cases where the password isn't stored in the LDAP tree itself. It requires the LDAP server to support RFC 3062 though, not sure if there are others than OpenLDAP. I would need some volunteer that could test a patch. Stig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Password in LDAP with php
The new function would be of great help. I am using Apple's Panther Server. In their documentation Apple suggested to use passwd command at the terminal instead of ldap commands. If you can send me detailed instructions, I can test. From: Stig Venaas Sent: Mon 1/5/2004 11:01 AM To: Chakravarthy Cuddapah Cc: Bc. Radek Krej?a; [EMAIL PROTECTED] Subject: Re: [PHP] Password in LDAP with php On Mon, Jan 05, 2004 at 10:45:58AM -0500, Chakravarthy Cuddapah wrote: You can do this in PHP. Check this: http://us4.php.net/manual/en/ref.ldap.php I wrote a form in PHP to add users to LDAP, change passwords etc. Check this https://www.cuddapahonline.net/ldap/ I can send the forms if you want. I'm also planning to commit to PHP a new function that uses the LDAP control specificed in RFC 3062 for changing passwords. I have some code that might work... The point is that instead of updating the userPassword attribute, doing your own hashing etc. you just give the LDAP server the old and new password in clear text. This is very useful in cases where the password isn't stored in the LDAP tree itself. It requires the LDAP server to support RFC 3062 though, not sure if there are others than OpenLDAP. I would need some volunteer that could test a patch. Stig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password systems
Take a look at pwgen, it is a command line utility that makes it easy to generate random passwords with a user specified length, it can generate random words that are easier to remember or truly random secure passwords with non alpha numeric characters in it. It is available in the FreeBSD ports tree and probably easily found from google. Jason Chris W. Parker wrote: Dennis Gearon mailto:[EMAIL PROTECTED] on Sunday, August 31, 2003 12:36 AM said: Anyone have any sources of noun/verb/adjective lists for password generation? Sorry I don't have a resource for you, but passwords shouldn't use dictionary words in the first place. Have you considered creating random passwords? Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] password systems
Dennis Gearon mailto:[EMAIL PROTECTED] on Sunday, August 31, 2003 12:36 AM said: Anyone have any sources of noun/verb/adjective lists for password generation? Sorry I don't have a resource for you, but passwords shouldn't use dictionary words in the first place. Have you considered creating random passwords? Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] password systems
Anyone have any sources of noun/verb/adjective lists for password generation? Google search for Aspell and Pspell. Here's a link to Aspell info, which has a link to dictionaries: http://aspell.net/ -- Lowell Allen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password + login from the AND Basic-Authenticate form
On Thu, 10 Jul 2003, Seigo wrote: Please tell me can users login with the html-page form and Basic-authentication? Chapter 16. HTTP authentication with PHP http://www.php.net/features.http-auth Regards, Philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password generator
On Tue, 2003-06-17 at 02:45, Davy Obdam wrote: Hi people, I have to make a password generator, but i have a little problem. - It needs to generate password 8 characters long, and including 1 or 2 special characters(like #$%*@). - Those special characters can never appear as the first or last character in the string... anywhere between is fine. I have a password generator script now that does the first thing... but the special character can be in front or back of the string wich it shouldnt.. i have been looking on the web for this but i havent found the answer. Below is my scripts so far.. Any help is appreciated, thanks for your time, Best regards, Davy Obdam Please don't crosspost. Pick the suitable list (in this case, it would have been php-general). Anyway, just tell it not to use anything beyone the first 26 characters of your allowable characters string. Below is one way to do it. Good luck, Torben ?php error_reporting(E_ALL); ini_set('display_errors', true); // A function to generate random alphanumeric passwords in PHP // It expects to be passed a desired password length, but it // none is passed the default is set to 8 (you can change this) function generate_password($length = 8) { // This variable contains the list of allowable characters // for the password. Note that the number 0 and the letter // 'O' have been removed to avoid confusion between the two. // The same is true of 'I' and 1 $allowable_characters = 'abcdefghefghijklmnopqrstuvwxyz0123456789%#*'; // We see how many characters are in the allowable list $ps_len = strlen($allowable_characters); // Max index of the characters allowed to stand and end the output. $max_endpoint_ind = 25; // 0-based index of the last char of the output $last_char = $length - 1; // Seed the random number generator with the microtime stamp // (current UNIX timestamp, but in microseconds) mt_srand((double)microtime() * 100); // Declare the password as a blank string. $pass = ; // Loop the number of times specified by $length for($i = 0; $i $length; $i++) { // Each iteration, pick a random character from the // allowable string and append it to the password. switch ($i) { case 0: case $last_char: $pass .= $allowable_characters{mt_rand(0, $max_endpoint_ind)}; break; default: $pass .= $allowable_characters{mt_rand(0, $ps_len)}; } } // Retun the password we've selected return $pass; } for ($i = 0; $i 100; $i++) { echo generate_password() . \n; } ? -- Torben Wilson [EMAIL PROTECTED]+1.604.709.0506 http://www.thebuttlesschaps.com http://www.inflatableeye.com http://www.hybrid17.com http://www.themainonmain.com - Boycott Starbucks! http://www.haidabuckscafe.com - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password generator
Thanks Lars and ofcourse all the other people who answerd. It works great!! Best regards, Davy Obdam Lars Torben Wilson wrote: On Tue, 2003-06-17 at 02:45, Davy Obdam wrote: Hi people, I have to make a password generator, but i have a little problem. - It needs to generate password 8 characters long, and including 1 or 2 special characters(like #$%*@). - Those special characters can never appear as the first or last character in the string... anywhere between is fine. I have a password generator script now that does the first thing... but the special character can be in front or back of the string wich it shouldnt.. i have been looking on the web for this but i havent found the answer. Below is my scripts so far.. Any help is appreciated, thanks for your time, Best regards, Davy Obdam Please don't crosspost. Pick the suitable list (in this case, it would have been php-general). Anyway, just tell it not to use anything beyone the first 26 characters of your allowable characters string. Below is one way to do it. Good luck, Torben ?php error_reporting(E_ALL); ini_set('display_errors', true); // A function to generate random alphanumeric passwords in PHP // It expects to be passed a desired password length, but it // none is passed the default is set to 8 (you can change this) function generate_password($length = 8) { // This variable contains the list of allowable characters // for the password. Note that the number 0 and the letter // 'O' have been removed to avoid confusion between the two. // The same is true of 'I' and 1 $allowable_characters = 'abcdefghefghijklmnopqrstuvwxyz0123456789%#*'; // We see how many characters are in the allowable list $ps_len = strlen($allowable_characters); // Max index of the characters allowed to stand and end the output. $max_endpoint_ind = 25; // 0-based index of the last char of the output $last_char = $length - 1; // Seed the random number generator with the microtime stamp // (current UNIX timestamp, but in microseconds) mt_srand((double)microtime() * 100); // Declare the password as a blank string. $pass = ; // Loop the number of times specified by $length for($i = 0; $i $length; $i++) { // Each iteration, pick a random character from the // allowable string and append it to the password. switch ($i) { case 0: case $last_char: $pass .= $allowable_characters{mt_rand(0, $max_endpoint_ind)}; break; default: $pass .= $allowable_characters{mt_rand(0, $ps_len)}; } } // Retun the password we've selected return $pass; } for ($i = 0; $i 100; $i++) { echo generate_password() . \n; } ? -- --- Davy Obdam Web application developer Networking4all email: [EMAIL PROTECTED] email: [EMAIL PROTECTED] internet: http://www.networking4all.com --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password Authentication
On 23 Mar 2003 Justin French wrote: That's in the user notes... ignor it... md5() does not have to be salted... infact, you WANT the md5() to be static... because you will compare the md5()'d password in the database with the md5()'d password that they submit on a form. Exactly. On this point the docs seem to be messed up. -- Tom Rawson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password Authentication
I just md5() the passwords, and reset them if needed... rather than retrieving. The advantage for me on this is that it's portable... md5() is part of the base PHP install, whereas the mcrypt stuff isn't (or wasn't). Justin on 23/03/03 1:31 AM, [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote: I am trying to build password authentication into a database front end for a MySQL DB. I find the php docs on this point quite confusing so I have a lot of questions. I can use a one-way hash to do this if that's the best way, as I don't need to retrieve the password. However if I could do so that has some small advantages. So I am open to either symmetric or one-way approaches. First off, there are multiple encryption methods out there -- PHP crypt() and the mcrypt functions, and MySQL encrypt(), for encryption; and the md5 etc. functions for hashing. Is there any information on best practices here, particularly in using PHP's encryption vs MySQL's? Second, the PHP docs on crypt are, to me, a mess. Much of it suggests passing the password back in as the salt for crypt, but this appears to me to only be workable if DES is being used and the first two characters of the password are the DES salt value. Since the actual encryption method is installation-dependent the code in the docs: # You should pass the entire results of crypt() as the salt # for comparing a password, to avoid problems when different # hashing algorithms are used. (As it says above, standard # DES-based password hashing uses a 2-character salt, but # MD5-based hashing uses 12.) if (crypt($user_input,$password) == $password) { echo Password verified!; } seems to me to be exactly wrong -- what it does is *create* problems with different hashing algorithms. Using $password as the salt here only works for DES, for md5-based encryption it will fail as the first 12 characters of the password are not the md5 salt (are they?). What am I missing here? Third, I am curious as to the repeated statements as to why one must use a different salt every time. For example, here's a user comment on the crypt docs from the PHP web site: The only only important consideration when generating a salt is to make sure that all salts are unique--that way the same password will be encrypted differently (i.e. the encrypted passwords will look different) for different users. One of the simplest ways to generate a unique salt is to use some string that will be different every time the procedure is called. Here's a simple example: $jumble = md5(time() . getmypid()); $salt = substr($jumble,0,$salt_length); My question is, why would I do this? If you are going to save the password you can't use a random salt without saving the salt along with the password so you can test it later. And if you do that, the randomness loses its value -- if someone breaks in and finds the encrypted password, they also get the salt. Again, am I missing something? Is there some potential attack where the attacker can use the repeatability of the password encryption or hashing algorithm to their advantage even if they cannot break into the server to see the encrypted data? If not, and they have to be able to break in to do the attack then, again, they can read the salt. Thanks for any comments or input. -- Tom Rawson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Password Authentication
On 23 Mar 2003 Justin French wrote: I just md5() the passwords, and reset them if needed... rather than retrieving. The advantage for me on this is that it's portable... md5() is part of the base PHP install, whereas the mcrypt stuff isn't (or wasn't). Something like that was my inclination as it seems simpler. One could also md5 the combined user / PW string, so the hash doesn't correspond to a single password. Do you know why there is all the stuff in the docs about using random salts? That didn't make much sense to me. -- Tom Rawson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php