On 7/26/06, Kenneth Van Wyk <[EMAIL PROTECTED]> wrote: > > FYI, I saw an interesting article today on IBM's web site detailing how to > (and how NOT to) use encryption within PHP code. Those interested can find > the article at: > > http://www-128.ibm.com/developerworks/library/os-php-encrypt/index.html?ca=drs-
This doesn't seem like a _great_ article, for the 'common man', as it involves, at least in the last step, executing a binary with propsed input from the user (i.e. a username, or something) as command line parameters. It validates one (the 'msg' from the form), but not the others that may be adjusted to accept input as well. Not only is the binary ran, but it would imply that the script as executable permissions on at least that file, if not the entire directory, or even entire system. All of which are bad. It also recommends to use md5, which is totally broken as a secure hashing function and should not be used at all. > Cheers, > > Ken -- mic _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
