php-general Digest 20 Jan 2008 11:03:47 -0000 Issue 5246
Topics (messages 267678 through 267700):
Re: Posting Summary for Week Ending 18 January, 2008: [EMAIL PROTECTED]
267678 by: Daniel Brown
267679 by: David Powers
267680 by: Jochem Maas
267681 by: David Powers
267682 by: Jochem Maas
267684 by: Andrés Robinet
267686 by: Wolf
267687 by: Daniel Brown
267688 by: Daniel Brown
267689 by: Wolf
267691 by: Ashley M. Kirchner
267693 by: Nathan Nobbe
267699 by: Per Jessen
Re: password hashing and crypt()
267683 by: Jochem Maas
267690 by: Eric Butera
267694 by: Andrés Robinet
267695 by: Nathan Nobbe
Re: avoid server folder reading
267685 by: Jochem Maas
267692 by: Nathan Nobbe
267697 by: Casey
267700 by: Alain Roger
Re: Expand variable in comparison
267696 by: Casey
Re: FPDF
267698 by: Brady Mitchell
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
On Jan 19, 2008 5:25 PM, David Powers <[EMAIL PROTECTED]> wrote:
> Daniel Brown wrote:
> > Finally, I don't want you to think that I'm personally-attacking
> > you in the same way you did to me
>
> Sorry, Dan, you just don't get it, do you? You published the name and
> email address of every single person who contributed to this mailing
> list in the past week. I didn't give you permission to publish my
> details, and I'm pretty sure the same goes for just about everyone else.
> Instead of apologizing to everyone here, you have sought to ridicule my
> position.
Notice, if you will and are able, that all other posts to this
thread are responses of interest, not the ramblings of a crybaby. I
told you I would remove you from future reports, and I have. I don't
know exactly who you think you are to crusade and demand my apologies
to "everyone here" when not only have I done nothing wrong, but I've
created something that is useful and stimulating to those who Actually
Matter[TM]. Thankfully, I don't feel as though I either have to
justify myself to you, or continue speaking with you about it. So
with that....
</discussion>
--
</Dan>
Daniel P. Brown
Senior Unix Geek and #1 Rated "Year's Coolest Guy" By Self Since
Nineteen-Seventy-[mumble].
--- End Message ---
--- Begin Message ---
Daniel Brown wrote:
Notice, if you will and are able, that all other posts to this
thread are responses of interest, not the ramblings of a crybaby.
I have also noticed that many of the responses come from #1 Rated
"Year's Coolest Guy" By Self. A little humility might be in order.
I done nothing wrong, but I've
created something that is useful and stimulating to those who Actually
Matter[TM].
Just to remind everyone what this useful and stimulating exercise was
for, in your own words, it was 'For bragging rights, to keep track of
how much time you've spent doing "community service" or whatever else.'
By publishing everyone's email address, you screwed up, but don't have
the decency to admit it. And at no time have I stooped to calling you names.
__
David Powers
--- End Message ---
--- Begin Message ---
David Powers schreef:
Daniel Brown wrote:
Finally, I don't want you to think that I'm personally-attacking
you in the same way you did to me
Sorry, Dan, you just don't get it, do you?
good mantra - please repeat to yourself 20 times every morning whilst
you brush your teeth. actually I might do that might self, I'm sure I don't
get 'it' either most days and besides it has something strangely zen about it
there is an adage along the lines of "we tend to accuse others of things
we despise most in ourselves" ... I know I'm guilty of that on many an occasion.
how about you?
if I am correct you are or were a journalist. forgive if I have mistaken you
for another, but if that is correct then how often have you trodden on someone's
privacy for the sake of a story? it's just a thought not an accusation. but
hopefully
you get the gist that maybe things are not so cut and dried as we sometimes
like to think?
You published the name and
email address of every single person who contributed to this mailing
list in the past week. I didn't give you permission to publish my
details
you already did that by posting so the info is already in the public domain and
as Dan pointed out he's not actually in violation of anything - having
explained to you the actually status quo with regard to british/european
privacy law.
, and I'm pretty sure the same goes for just about everyone else.
he doesn't need my permission. but if he did he just got it, and that
probably goes for most other people on this list. I have a feeling you pretty
much on your own here.
Instead of apologizing to everyone here, you have sought to ridicule my
position.
oh you did a pretty good job of that all by yourself from where I'm standing ;-)
why not get over it and join the club instead of knocking it?
--- End Message ---
--- Begin Message ---
Jochem Maas wrote:
if I am correct you are or were a journalist. forgive if I have mistaken
you
for another, but if that is correct then how often have you trodden on
someone's
privacy for the sake of a story?
Yes, I was a journalist for some 30 years, but roughly two-thirds of
that time was spent in an editorial capacity, not on the road. I cannot
honestly remember an occasion on which I infringed someone's privacy for
the sake of a story. The privacy guidelines that applied to my job are
publicly available online:
http://www.bbc.co.uk/guidelines/editorialguidelines/edguide/privacy/consent.shtml
as Dan pointed out he's not actually in violation of anything
That's Dan's interpretation.
why not get over it and join the club instead of knocking it?
All that was necessary was for Dan to acknowledge that he'd made a
mistake publishing a list of everyone's email address in plain text. It
was wholly unnecessary for the purpose of creating a chart of the most
prolific posters. Counting the number of posts is pretty meaningless
anyway. It says nothing about the usefulness of those posts.
I rarely post here, not for any negative reasons, but because I can see
there are plenty of knowledgeable people here giving a lot of valuable
help to others. So I spend my time contributing to other forums where
PHP expertise is thin on the ground.
If treating someone's complaint with contempt, even if you don't agree
with the substance of it, is the way this "club" works, it's not one
that I feel comfortable joining.
--
David Powers
--- End Message ---
--- Begin Message ---
David Powers schreef:
Jochem Maas wrote:
if I am correct you are or were a journalist. forgive if I have
mistaken you
for another, but if that is correct then how often have you trodden on
someone's
privacy for the sake of a story?
Yes, I was a journalist for some 30 years, but roughly two-thirds of
that time was spent in an editorial capacity, not on the road.
I can't quite see what difference that makes. you wrote something, you edited
something,
you allowed something through - whats the difference for the current point
being discussed?
I cannot
honestly remember an occasion on which I infringed someone's privacy for
the sake of a story.
even if that's your honest opinion there might be someone who thought
differently
at some stage when they were affected by something you produced, no?
The privacy guidelines that applied to my job are
publicly available online:
http://www.bbc.co.uk/guidelines/editorialguidelines/edguide/privacy/consent.shtml
it's quite possible to follow the letter of law whilst raping it's spirit.
as Dan pointed out he's not actually in violation of anything
That's Dan's interpretation.
isn't interpretation all we have? (not forgetting php is interpreted ;-))
why not get over it and join the club instead of knocking it?
All that was necessary was for Dan to acknowledge that he'd made a
mistake publishing a list of everyone's email address in plain text. It
was wholly unnecessary for the purpose of creating a chart of the most
prolific posters. Counting the number of posts is pretty meaningless
anyway. It says nothing about the usefulness of those posts.
>
I rarely post here, not for any negative reasons, but because I can see
there are plenty of knowledgeable people here giving a lot of valuable
help to others. So I spend my time contributing to other forums where
PHP expertise is thin on the ground.
I'm of the opinion that this kind of knowledge should be concentrated in as
few places as possible, thereby offering newbies a bigger and juicier target
to aim their questions at. just a thought.
If treating someone's complaint with contempt, even if you don't agree
with the substance of it, is the way this "club" works, it's not one
that I feel comfortable joining.
you create the world you live in, if your confronted with contempt (in your
perception) then in the end that is wholly your doing. you can't force Dan or
anyone else to do/respond in any given way (i.e. a way you see as correct) so
it's futile - I am certain that had you approached with your grievance in a
different manner then you would have gotten a completely different result,
namely
the one you desired. this is in your hands, not anyone elses. this applies
to everything not just Dan or this mailing list.
--- End Message ---
--- Begin Message ---
> -----Original Message-----
> From: David Powers [mailto:[EMAIL PROTECTED]
> Sent: Saturday, January 19, 2008 10:22 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] Re: Posting Summary for Week Ending 18 January,
> 2008: [EMAIL PROTECTED]
>
> Jochem Maas wrote:
> > if I am correct you are or were a journalist. forgive if I have
> mistaken
> > you
> > for another, but if that is correct then how often have you trodden
> on
> > someone's
> > privacy for the sake of a story?
>
> Yes, I was a journalist for some 30 years, but roughly two-thirds of
> that time was spent in an editorial capacity, not on the road. I cannot
> honestly remember an occasion on which I infringed someone's privacy
> for
> the sake of a story. The privacy guidelines that applied to my job are
> publicly available online:
>
> http://www.bbc.co.uk/guidelines/editorialguidelines/edguide/privacy/con
> sent.shtml
>
> > as Dan pointed out he's not actually in violation of anything
>
> That's Dan's interpretation.
>
> > why not get over it and join the club instead of knocking it?
>
> All that was necessary was for Dan to acknowledge that he'd made a
> mistake publishing a list of everyone's email address in plain text. It
> was wholly unnecessary for the purpose of creating a chart of the most
> prolific posters. Counting the number of posts is pretty meaningless
> anyway. It says nothing about the usefulness of those posts.
>
> I rarely post here, not for any negative reasons, but because I can see
> there are plenty of knowledgeable people here giving a lot of valuable
> help to others. So I spend my time contributing to other forums where
> PHP expertise is thin on the ground.
>
> If treating someone's complaint with contempt, even if you don't agree
> with the substance of it, is the way this "club" works, it's not one
> that I feel comfortable joining.
>
> --
> David Powers
>
> --
I have some thoughts, I just hope you (all) don't start hunting for me. But if
you do, well, do it:
1 - I do believe the posting summary adds nothing to this list. But I don't
care about it either. I think this is all about "karma" and as such, "who has
the biggest dick". We could argue for hours about this, and I know some of you
will find the stats valuable (specially to show your boss how "karmatic" you
are, or to show your boss how much time one of your partners spends instead of
doing his job, lol).
2 - I don't have anything against my name and email being published in the
stats (sure, I'd like support for the "é" character on my name :)). I don't
care about spam either, we all get spam anyway, and that's why we have RBLs in
our mail server and the MS Outlook junk folder. Moreover, if I was a spammer, I
would also search for mailto: patterns like agrobinet+at+bestplace+dot+biz, so
I think I'd get mangled email addresses anyway.
3 - I don't like the attitude of both Dan and David. IMHO, David thinks the
issue is more severe than it is, and Dan just won't recognize that mangling
email addresses is kind of a (arguably also) "standard practice". No public
apologize is needed, but maybe "Yeah, I just didn't consider that" would be
enough.
4 - I have two phrases I like very much, one of them is "one fault does not
cover another" and the other one is "Hakuna Matata" (yes, I saw the lion king
baby! lol).
Just one more thing, about...
> If treating someone's complaint with contempt, even if you don't agree
> with the substance of it, is the way this "club" works, it's not one
> that I feel comfortable joining.
... well, that's because you didn't taste the internals list yet, lol.
Regards,
Rob
Andrés Robinet | Lead Developer | BESTPLACE CORPORATION
5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308 |
TEL 954-607-4207 | FAX 954-337-2695
Email: [EMAIL PROTECTED] | MSN Chat: [EMAIL PROTECTED] | SKYPE: bestplace |
Web: http://www.bestplace.biz | Web: http://www.seo-diy.com
--- End Message ---
--- Begin Message ---
David Powers wrote:
Daniel Brown wrote:
Notice, if you will and are able, that all other posts to this
thread are responses of interest, not the ramblings of a crybaby.
I have also noticed that many of the responses come from #1 Rated
"Year's Coolest Guy" By Self. A little humility might be in order.
Humbleness DOES normally come with age sometimes, but one would assume
that with your advanced years that you might look at things differently.
That being said, while I'm sure Dan believes he's the "Year's Coolest
Guy", there are some out there who think otherwise. To each their own
as is their right. We DO live in a democracy with the right of free
thought and speech, as a journalist should well know. Perhaps during
your editorial years you missed editing all the privacy laws and such
concerning public domain. From the news reports *I* keep seeing, the
use of "public" sources and gathering of "public" information seems more
about how much the "public" can be stretched for the raping of
information to tweak the story to their own designs instead of going
after the whole truth. Gotta love one-sided reporting... But I digress...
I done nothing wrong, but I've
created something that is useful and stimulating to those who Actually
Matter[TM].
Just to remind everyone what this useful and stimulating exercise was
for, in your own words, it was 'For bragging rights, to keep track of
how much time you've spent doing "community service" or whatever else.'
By publishing everyone's email address, you screwed up, but don't have
the decency to admit it. And at no time have I stooped to calling you
names.
Following the posts, I do believe Dan is going to mangle the email
addresses. Heck, he can omit them to just the "name" of the poster if
he wants, won't bother me but then I don't have an á or é in my name
that's still getting fudged...
But that is all besides the point. YOU posted to the list, thereby
doing so with an email address which you have PUBLICLY posted. That you
are not happy with the list coming out means that you failed to pay
attention to this list for the last couple of weeks when 1) Dan's script
blew up and 2) last week when Richard wasn't even showing on the list.
My suggestion would be to increase your spam blocking mechanism(s) such
as Thunderbird's spam learning feature or your ISP's filtering or even
running your email through your own Linux server and using clamAV and
SpamAssassin to clean your email before popping it off to your local
machine.
Either way, your problem was your own making. Now, you could apologize
to the list and Dan for blowing things out of proportion, which would
show some humility, but you're pretty much the only one here complaining
about your email address being posted by some one else after you have
already done so.
Wolf
--- End Message ---
--- Begin Message ---
On Jan 19, 2008 8:15 PM, Andrés Robinet <[EMAIL PROTECTED]> wrote:
> 2 - I don't have anything against my name and email being published in the
> stats (sure, I'd like support for the "é" character on my name :)). I don't
> care about spam either, we all get spam anyway, and that's why we have RBLs
> in our mail server and the MS Outlook junk folder. Moreover, if I was a
> spammer, I would also search for mailto: patterns like
> agrobinet+at+bestplace+dot+biz, so I think I'd get mangled email addresses
> anyway.
I am adding support for non-English characters (I think I
mentioned it this morning or last night). Something I had forgotten
about until you and Zoltan Nemeth brought it up. I'm unintentionally
closed-minded about that stuff sometimes, having the name Dan Brown.
> 3 - I don't like the attitude of both Dan and David. IMHO, David thinks the
> issue is more severe than it is, and Dan just won't recognize that mangling
> email addresses is kind of a (arguably also) "standard practice". No public
> apologize is needed, but maybe "Yeah, I just didn't consider that" would be
> enough.
Actually, I did say that. It was a rather embarrassing oversight
on my part, and I updated the scripts as soon as it was pointed out to
me (by Richard Lynch, if memory serves correctly). To be honest, it
wouldn't make any difference really, because the moment we click the
"send" button to this - or nearly any other active list - we are
likely having our addresses broadcast to SPAM catch-all addresses
piping our email addresses into a database, as well as listing them
(plain-text) in the archives. Still, it is standard practice, and I
had forgotten to make it so in the script.
--
</Dan>
Daniel P. Brown
Senior Unix Geek and #1 Rated "Year's Coolest Guy" By Self Since
Nineteen-Seventy-[mumble].
--- End Message ---
--- Begin Message ---
On Jan 19, 2008 8:55 PM, Wolf <[EMAIL PROTECTED]> wrote:
> David Powers wrote:
> > Daniel Brown wrote:
> >> Notice, if you will and are able, that all other posts to this
> >> thread are responses of interest, not the ramblings of a crybaby.
> >
> > I have also noticed that many of the responses come from #1 Rated
> > "Year's Coolest Guy" By Self. A little humility might be in order.
>
> Humbleness DOES normally come with age sometimes, but one would assume
> that with your advanced years that you might look at things differently.
It's on there as a joke, not out of lack of humility. I always
have stupid little phrases in my signature lines. This one was
actually meant to be a self-bashing line meaning, "I'm the only one
who thinks I'm cool."
> That being said, while I'm sure Dan believes he's the "Year's Coolest
> Guy", there are some out there who think otherwise.
Dude.... there are A LOT of them....
--
</Dan>
Daniel P. Brown
Senior Unix Geek and #1 Rated "Year's Coolest Guy" By Self Since
Nineteen-Seventy-[mumble].
--- End Message ---
--- Begin Message ---
Daniel Brown wrote:
On Jan 19, 2008 8:55 PM, Wolf <[EMAIL PROTECTED]> wrote:
David Powers wrote:
Daniel Brown wrote:
Notice, if you will and are able, that all other posts to this
thread are responses of interest, not the ramblings of a crybaby.
I have also noticed that many of the responses come from #1 Rated
"Year's Coolest Guy" By Self. A little humility might be in order.
Humbleness DOES normally come with age sometimes, but one would assume
that with your advanced years that you might look at things differently.
It's on there as a joke, not out of lack of humility. I always
have stupid little phrases in my signature lines. This one was
actually meant to be a self-bashing line meaning, "I'm the only one
who thinks I'm cool."
Yeah, finding a random-quote adder for Thunderbird is NOT easy, even for
a windoze system. I used to have one with Outlook when I was forced to
use it. :/
But I think you're an OK kinda guy, but we'll have to see if Richard
invites us to sit with the cool kids next time. ;)
That being said, while I'm sure Dan believes he's the "Year's Coolest
Guy", there are some out there who think otherwise.
Dude.... there are A LOT of them....
Well I wasn't gonna go there... ;)
Maybe I'm the only one who finds it interesting that jpni.co.uk is an
empty apache setup that will only show a "This account is suspended"
page when you go look at it.
And this little gem that David posted a while ago:
"With regard to the argument about free flow of information, all the
information in my books is freely available on the internet. However,
the value to most readers is that I have pulled together that
information, tested it, and presented it in a form that, hopefully,
makes it easier for beginners and intermediate developers to understand."
Now, while Dan hasn't posted his source code for the beginners and
intermediates to cull through (maybe there are some other list admins of
something productive like a good amateur porn site) that would like to
use the same gathering tactics, he has used the free flow of information
that is freely available on the internet to produce the posting summary.
Just some food for thought...
Wolf
--- End Message ---
--- Begin Message ---
Well, at least we know which subject will make it to the top next
week....
--
H | It's not a bug - it's an undocumented feature.
+--------------------------------------------------------------------
Ashley M. Kirchner <mailto:[EMAIL PROTECTED]> . 303.442.6410 x130
IT Director / SysAdmin / Websmith . 800.441.3873 x130
Photo Craft Imaging . 3550 Arapahoe Ave. #6
http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A.
--- End Message ---
--- Begin Message ---
On Jan 19, 2008 9:25 PM, Ashley M. Kirchner <[EMAIL PROTECTED]> wrote:
>
> Well, at least we know which subject will make it to the top next
> week....
nice; say, dan, here comes another feature request; can we see the top
thread
(or 3 :)) as well ?
-nathan
--- End Message ---
--- Begin Message ---
Nathan Nobbe wrote:
> i didnt see the option in gmail; but if you know where it is or how to
> set it up in gmail, i will happily take the 2 seconds to enable it.
Sorry, I don't use gmail.
/Per Jessen, Zürich
--- End Message ---
--- Begin Message ---
Nathan Nobbe schreef:
hi all,
recently ive been debating a bit about the use of the crypt() function and
the best practice thereof, im hoping you can help to clarify this for me.
so, the crypt function
http://www.php.net/manual/en/function.crypt.php
has a second parameter, $salt, which, if not supplied will be automatically
generated and presumably become a prefix or suffix of the returned string.
now, the article on the phpsec website
http://phpsec.org/articles/2005/password-hashing.html
recommends to externally create a salt and to store that in a separate field
in the database, which would then be used for subsequent password
verification.
theoretically, however, if the password is generated without a user supplied
salt,
there is a salt already embedded in the password anyway.
so, i have the following questions
1. is the phpsec technique bloated or unnecessary
I can't see a dictionary attack being thwarted by the salt given that the salt
is made available when a password is checked. I'm struggling to see how a salt
will help if it's made available. but it's late, may be better brain can
enlighten us :-)
then again your question is a little skewed due to the fact that sha1() is
used in the phpsec article and your talking about crypt - which encryption is
better as it stands is the first question to ask no? AFAIK sha1() is
recommended over DES but maybe I'm misinformed.
2. is it better to create a user supplied salt, and why or why not
3. is crypt() 'intended' to be used w/o a user provided salt, since it
is a stable algorithm
depends on the use - i.e. using it inconjunction with a .htpasswd file
will required no salt (auto-generated salt), other usage recommends using
an explicit salt.
all this salt is hurting my eyes - I have a blind spot.
any other direction or hints you can supply are much appreciated.
thanks,
-nathan
--- End Message ---
--- Begin Message ---
On Jan 19, 2008 8:02 PM, Jochem Maas <[EMAIL PROTECTED]> wrote:
> Nathan Nobbe schreef:
> > hi all,
> >
> > recently ive been debating a bit about the use of the crypt() function and
> > the best practice thereof, im hoping you can help to clarify this for me.
> >
> > so, the crypt function
> > http://www.php.net/manual/en/function.crypt.php
> > has a second parameter, $salt, which, if not supplied will be automatically
> > generated and presumably become a prefix or suffix of the returned string.
> >
> > now, the article on the phpsec website
> > http://phpsec.org/articles/2005/password-hashing.html
> > recommends to externally create a salt and to store that in a separate field
> > in the database, which would then be used for subsequent password
> > verification.
> >
> > theoretically, however, if the password is generated without a user supplied
> > salt,
> > there is a salt already embedded in the password anyway.
> >
> > so, i have the following questions
> >
> > 1. is the phpsec technique bloated or unnecessary
>
> I can't see a dictionary attack being thwarted by the salt given that the salt
> is made available when a password is checked. I'm struggling to see how a salt
> will help if it's made available. but it's late, may be better brain can
> enlighten us :-)
>
> then again your question is a little skewed due to the fact that sha1() is
> used in the phpsec article and your talking about crypt - which encryption is
> better as it stands is the first question to ask no? AFAIK sha1() is
> recommended over DES but maybe I'm misinformed.
>
> > 2. is it better to create a user supplied salt, and why or why not
> > 3. is crypt() 'intended' to be used w/o a user provided salt, since it
> > is a stable algorithm
>
> depends on the use - i.e. using it inconjunction with a .htpasswd file
> will required no salt (auto-generated salt), other usage recommends using
> an explicit salt.
>
> all this salt is hurting my eyes - I have a blind spot.
>
>
> >
> > any other direction or hints you can supply are much appreciated.
> >
> > thanks,
> >
> > -nathan
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
They say sha1 has been compromised.
http://en.wikipedia.org/wiki/SHA_hash_functions
I always make sure that I use a site specific salt which is just
appended on the user supplied value. I started doing that when I read
that people had created huge databases of hashed values that they can
just search on. At least this way no matter what the password isn't a
dictionary word. As for if that really adds value in the end I can't
say as I'm not really a security expert.
Eg. hash('sha256', $input.$salt);
--- End Message ---
--- Begin Message ---
> -----Original Message-----
> From: Eric Butera [mailto:[EMAIL PROTECTED]
> Sent: Sunday, January 20, 2008 12:24 AM
> To: Jochem Maas
> Cc: Nathan Nobbe; PHP General List
> Subject: Re: [PHP] password hashing and crypt()
>
> On Jan 19, 2008 8:02 PM, Jochem Maas <[EMAIL PROTECTED]> wrote:
> > Nathan Nobbe schreef:
> > > hi all,
> > >
> > > recently ive been debating a bit about the use of the crypt()
> function and
> > > the best practice thereof, im hoping you can help to clarify this
> for me.
> > >
> > > so, the crypt function
> > > http://www.php.net/manual/en/function.crypt.php
> > > has a second parameter, $salt, which, if not supplied will be
> automatically
> > > generated and presumably become a prefix or suffix of the returned
> string.
> > >
> > > now, the article on the phpsec website
> > > http://phpsec.org/articles/2005/password-hashing.html
> > > recommends to externally create a salt and to store that in a
> separate field
> > > in the database, which would then be used for subsequent password
> > > verification.
> > >
> > > theoretically, however, if the password is generated without a user
> supplied
> > > salt,
> > > there is a salt already embedded in the password anyway.
> > >
> > > so, i have the following questions
> > >
> > > 1. is the phpsec technique bloated or unnecessary
> >
> > I can't see a dictionary attack being thwarted by the salt given that
> the salt
> > is made available when a password is checked. I'm struggling to see
> how a salt
> > will help if it's made available. but it's late, may be better brain
> can enlighten us :-)
> >
> > then again your question is a little skewed due to the fact that
> sha1() is
> > used in the phpsec article and your talking about crypt - which
> encryption is
> > better as it stands is the first question to ask no? AFAIK sha1() is
> > recommended over DES but maybe I'm misinformed.
> >
> > > 2. is it better to create a user supplied salt, and why or why
> not
> > > 3. is crypt() 'intended' to be used w/o a user provided salt,
> since it
> > > is a stable algorithm
> >
> > depends on the use - i.e. using it inconjunction with a .htpasswd
> file
> > will required no salt (auto-generated salt), other usage recommends
> using
> > an explicit salt.
> >
> > all this salt is hurting my eyes - I have a blind spot.
> >
> >
> > >
> > > any other direction or hints you can supply are much appreciated.
> > >
> > > thanks,
> > >
> > > -nathan
> > >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
> They say sha1 has been compromised.
> http://en.wikipedia.org/wiki/SHA_hash_functions
>
> I always make sure that I use a site specific salt which is just
> appended on the user supplied value. I started doing that when I read
> that people had created huge databases of hashed values that they can
> just search on. At least this way no matter what the password isn't a
> dictionary word. As for if that really adds value in the end I can't
> say as I'm not really a security expert.
>
> Eg. hash('sha256', $input.$salt);
>
> --
Let me share what I've read in a cryptography book some time ago. I hope to
remember it well, but for me it served as an explanation about what the
"SALT" is all about (for those of you who don't have a clue, like me). I
will put aside any cryptographic considerations like the strength of the
algorithms or steganography analysis.
Let's build a scenario (yeah, I was kind of a teacher in the past, lol). For
the sake of simplicity, let's assume the following:
1 - You have a database (actually, a table) of 10 rows with user encrypted
passwords, and somebody (the cracker) had made it to sniff in and get access
to it. Let's assume passwords are encrypted using MD5 and the cracker knows
it.
2 - No other data has been compromised, or no other compromised data means
anything to the cracker. He only wants to reverse engineer your passwords,
meaning by that "to get valid passwords that match the encrypted (hashed is
the word) ones". Let's say that having those passwords, the cracker can
login to your system and do some interesting stuff, which is the only
ultimate goal of his.
3 - The cracker has a dictionary of 100 words to try, he hopes to find a
match within that dataset. Whether he finds one or more passwords using the
dictionary is not relevant to this scenario, but the metric here is how much
computational effort he has to make to reverse engineer the encryption.
Now, what would the cracker have to do to get one or more valid passwords?
Probably something like:
1 - Apply the MD5 function to the words in the dictionary. He gets a "hashed
dictionary" which probably he has already built long a go (for doing some
other "obscure task").
2 - Compare each of the values in the hashed dictionary to the passwords
table to find matches.
Step 2 can be optimized in several ways, but I'll not get deeper into it (I
won't either give you O[X] values, as I don't have a clue, but some figures
can be made). Also, there's the chance that two users chose the same
password, and the hashes would be equal (in this case you would have only 9
passwords to match).
Now, let's change the scenario and let's say that instead of a table of 10
encrypted passwords you have a table of 10 encrypted passwords and 10 random
SALT values that were used to generate them. According to that, you have the
following equivalence:
$encryptedPassword = md5($password.$salt); // Or similar
This complicates things for the cracker, because:
1 - He must know how the salt was used to generate the password (was it
concatenated before the password, after the password or both)?
2 - He has to generate 10 dictionary hashes (one for each salt value,
assuming each salt value is different). So now the hashed dictionary has
actually 1000 entries instead of 100. And he MUST recreate the hashed
dictionary for each attack he wants to perpetrate to one of these tables
(assumed he has sniffed in more than one place).
3 - Even if he finds two hashes are equal in the passwords table, he won't
guess two passwords in one shot, because the SALT values for each password
would be different.
I remember I first came across to the SALT thing while doing an SMF
integration (don't remember the SMF version, but I remember I had to do
things manually that time, now SMF has an API of some sort I think).
Ok, that's all folks. Now, I'll have a glass of water (or better yet, wine).
Regards,
Rob
Andrés Robinet | Lead Developer | BESTPLACE CORPORATION
5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308
| TEL 954-607-4207 | FAX 954-337-2695
Email: [EMAIL PROTECTED] | MSN Chat: [EMAIL PROTECTED] | SKYPE:
bestplace | Web: http://www.bestplace.biz | Web: http://www.seo-diy.com
--- End Message ---
--- Begin Message ---
thanks for the great responses guys.
i guess what im really getting at though is, if crypt() will embed
a salt in the value it returns automatically, is there any benefit to
creating a salt to pass to the second argument and storing that
as well?
conceivably, passwords already have a salt using the
default crypt() behavior, so the general benefit of salting should
be supplied by said default behavior.
my guess is that there would be *some* benefit to creating a user
supplied salt. greater entropy or something, im not sure what...
im just trying to rationalize creating a salt in userspace
and storing that in the database as opposed to not. any takers
for either case?
-nathan
--- End Message ---
--- Begin Message ---
Nathan Nobbe schreef:
On Jan 19, 2008 3:08 PM, Jochem Maas <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
or alternatively use that .htaccess to deny apache index listings.
i of course use .htaccess, but OP was asking for a php based solution, so
thats what i supplied, thats all.
my reply was to the OP, not you as such, given that your also answering his
question,
sorry for the misunderstanding.
that said I have found it's often a worthy exercise to poke/prod the OP as
to what they are really trying to achieve rather than blindly assume that what
they are asking is what they really want - this is quite often not the case - I
think
you;ll agree :-)
-nathan
--- End Message ---
--- Begin Message ---
On Jan 19, 2008 7:50 PM, Jochem Maas <[EMAIL PROTECTED]> wrote:
> my reply was to the OP, not you as such, given that your also answering
> his question,
> sorry for the misunderstanding.
i think half the time i get confused myself; like this morning when you said
show us your
exact code, to the OP of the thread, and i was like; 'i just posted my exact
code' :)
> that said I have found it's often a worthy exercise to poke/prod the OP as
> to what they are really trying to achieve rather than blindly assume that
> what
> they are asking is what they really want - this is quite often not the
> case - I think
> you;ll agree :-)
such was the case w/ the thread where tedd asked about embedding   in
the name
attribute of a input tag of type submit.
everybody was going on about how to handle it on the server side and i was
like, just
end it w/ a little css. so yeah, i def agree.
-nathan
--- End Message ---
--- Begin Message ---
On Jan 19, 2008 6:36 PM, Nathan Nobbe <[EMAIL PROTECTED]> wrote:
> On Jan 19, 2008 7:50 PM, Jochem Maas <[EMAIL PROTECTED]> wrote:
>
> > my reply was to the OP, not you as such, given that your also answering
> > his question,
> > sorry for the misunderstanding.
>
> i think half the time i get confused myself; like this morning when you said
> show us your
> exact code, to the OP of the thread, and i was like; 'i just posted my exact
> code' :)
>
>
> > that said I have found it's often a worthy exercise to poke/prod the OP as
> > to what they are really trying to achieve rather than blindly assume that
> > what
> > they are asking is what they really want - this is quite often not the
> > case - I think
> > you;ll agree :-)
>
>
> such was the case w/ the thread where tedd asked about embedding   in
> the name
> attribute of a input tag of type submit.
> everybody was going on about how to handle it on the server side and i was
> like, just
> end it w/ a little css. so yeah, i def agree.
>
> -nathan
>
Just add a simple index.php to every folder you want to hide, if you
want a "PHP solution".
index.php:
header('Location: http://yoursite.com');
-Casey
--- End Message ---
--- Begin Message ---
this is what i already did before asking :-)
On Jan 19, 2008 7:53 PM, Nathan Nobbe <[EMAIL PROTECTED]> wrote:
> On Jan 19, 2008 1:46 PM, Alain Roger <[EMAIL PROTECTED]> wrote:
>
> > Sorry if my post was not clear...
> > in fact i would like to hide the contant of my webfolders and avoid user
> > to
> > see the index of "folders"... for sure users should be able to browse
> > the
> > website, but not to see its structure by browsing the index :-)
>
>
> then define an index.php file for each directory that routes the users
> appropriately.
>
> -nathan
>
>
--
Alain
------------------------------------
Windows XP SP2
PostgreSQL 8.2.4 / MS SQL server 2005
Apache 2.2.4
PHP 5.2.4
C# 2005-2008
--- End Message ---
--- Begin Message ---
On Jan 19, 2008 9:52 AM, Richard Lynch <[EMAIL PROTECTED]> wrote:
> You can cheat like this:
>
> define('DEBUG', 1);
>
> if (DEBUG || $this->var == $preDefinedStringToTestWith)
> return true;
> else
> return false;
>
> At some later date, you change the 1 to 0 in the define() statement.
>
> Please tell us WHY you want do what you want to do...
>
>
> On Fri, January 18, 2008 1:50 pm, Marcus wrote:
> > Hi!
> >
> >
> > Is there any way to get the following snippet returning a true?
> >
> >
> > ...
> > $this->var = ?????
> > if ($this->var == $preDefinedStringToTestWith)
> > return true;
> > else
> > false;
> >
> >
> >
> > The problem:
> > I don't know, what $preDefinedStringToTestWith is!
> > $this->var can be set to any string.
> >
> > I tried
> > $this->var = "${preDefinedStringToTestWith}"
> > but this doesn't get expanded.
> >
> >
> > Thanks for your help,
> >
> > Marcus.
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
>
> --
> Some people have a "gift" link here.
> Know what I want?
> I want you to buy a CD from some indie artist.
> http://cdbaby.com/from/lynch
> Yeah, I get a buck. So?
>
>
I *think* you want:
return $this->var == $$preDefinedStringToTestWith;
http://us.php.net/language.variables.variable
--
-Casey
--- End Message ---
--- Begin Message ---
On Jan 18, 2008, at 1014AM, Balasubramanyam Ananthamurthy wrote:
I'm fetching content from database and printing it on the browser. I
want add an link on the same page "Click here to view it in PDF". Is
it possible to do it using FPDF? If yes, how can I do this?
Yes, this can be done with FPDF. Go to http://fpdf.org, click on
scripts and you'll find multiple examples with MySQL, one with
PostgreSQL and even one with MS Access. FPDF has pretty good
documentation and lots of example code to browse.
I suggest using the forum on fpdf.org to ask specific questions as
you'll likely get better help there than on this list, simply because
it's focused specifically on fpdf.
Brady
--- End Message ---
