Thanks for the help, people. Problem solved.
-Mensagem original-
De: Alejandro Michelin Salomon (Hotmail) [mailto:amichel...@hotmail.com]
Enviada em: quarta-feira, 21 de setembro de 2011 00:07
Para: 'Mateus Almeida'
Cc: php-general@lists.php.net
Assunto: RES: [PHP] Installing PHP
I have an application in which the password is stored in the database
as md5(md5('passWord').'userSpecificSalt'). I'm checking the password
entered with:
$password=md5( md5('$_POST['password']').'userSpecificSalt' );
$query=SELECT id FROM table WHERE password='{$password}';
Now I'm a bit queasy
On Wed, Sep 21, 2011 at 13:53, Dotan Cohen dotanco...@gmail.com wrote:
I have an application in which the password is stored in the database
as md5(md5('passWord').'userSpecificSalt'). I'm checking the password
entered with:
$password=md5( md5('$_POST['password']').'userSpecificSalt' );
If you're converting the input data in a md5 hash has no reason to scape it.
Regards,
Igor Escobar
*Software Engineer
*
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar http://www.twitter.com/igorescobar
On Wed, Sep 21, 2011 at 2:53 PM, Dotan Cohen
On Wed, Sep 21, 2011 at 21:03, Daniel Brown danbr...@php.net wrote:
It never hurts to be overly cautious, but as MD5 hashes are
strictly alphanumeric (using hex characters), you won't have an issue
with injection with the code above. That is, of course, unless your
version of PHP is
Thanks Igor. I will sleep peacefully this night!
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Wed, Sep 21, 2011 at 15:32, Dotan Cohen dotanco...@gmail.com wrote:
The rebuild without md5 is an interesting point. That sounds exactly
like the type of it-will-never-happen-until-it-happens-to-me problems!
Thanks for the heads up.
I should've specified, though, that then you would
On Wed, Sep 21, 2011 at 22:36, Daniel Brown danbr...@php.net wrote:
I should've specified, though, that then you would simply have the
fatal error message (call to undefined function) pass through, not the
unhashed original text.
Yes, that is obvious.
--
Dotan Cohen
8 matches
Mail list logo