|
PHP - Salt Generation - Issue With Quotes
I have this little snippet of code that runs when a user updates their password:
fetch_user_salt_new(): Code: [Select] function fetch_user_salt_new($length = 5) { $salt_a = ''; for ($i = 0; $i < $length; $i++) { $salt_a .= chr(vbrand(33, 126)); } return $salt_a; } Code: [Select] $salt = fetch_user_salt_new(); $salt_processed = mysql_real_escape_string($salt); Now, occasionally when a user changes their password (or anything that inserts the salt into the database, such as registration), the salt length stored in the database becomes 6 or 7 instead of 5. As in, 99% of salts are only 5 digits long, but some salts are longer... The longer salts normally have odd components, such as \', \", or \\ leading to salts increasing by 1 or 2 digits in length. My idea is that mysql_real_escape_string() is putting a \ in front of quotes which is not what I intended when adding that piece of code in. By adding mysql_real_escape_string() in, I intended for quotes (' or ") to not be factors affecting the Query. Prior to instituting mysql_real_escape_string(), a ' or " would close the query and mess up the insertion of the salt. (Original Topic: http://www.phpfreaks.com/forums/index.php?topic=356368.0 ) It seemed to work but not doesn't Any help is very appreciated, Mark Similar TutorialsThis code only works in firefox <a onMouseout='hidetooltip()' onMouseover='tooltip(\"<img src=img/heroes/$hero.gif\")' href='hero.php?hero=$hero'>Text</a> Btw, I use this in echo (php). How to get quotes (triple) on <img src= ? I also have tried <img src='img/heroes/$hero.gif' But only works on FireFox I'm not sure if this is an HTML or browser issue... But single quotes in strings from database don't work for me in Chrome for some reason. To mine or any other computers. Every other browser detects these quotes. I'm outputting an SQL result containing strings like: Texas Hold'em or America's Cup and I get Texas Hold America Quotation marks are confusing me.
What do you guys use when it comes to quotation marks?
In HTML attributes and throughout the bodies of my web pages, I use the HTML entity ("). For example:
<a href="" title="Read "Article Name""> <p>In his new book, he says: "This is a quote."</p>I thought that this is the best practice. However, today, I read that it's perfectly safe to use straight quotes (") in the body, and that I should use the HTML entity only in HTML attributes. Is that correct? But what if I want to use curly quotes in the body instead of straight quotes? Should I always use the HTML entities for curly quotes (“ and ”), or can I also safely use the characters (“”)? I heard that straight quotes are safe in all browsers, even if you don't specify the character set of your web pages, but that curly quotes are only safe if you specify the character set or if you use the HTML entities. Is that true? And what about the <q> tag? Apparently, it's compatible with all browsers but they treat it differently. Edited by Fluoresce, 30 August 2014 - 07:37 AM. The fancy-looking quotes won't insert into my DB, so I'm trying to convert them to %93 & %94 or normal quotes.
Nothing I've tried works.
Code:
$fancy=" “test” "; $fixed=htmlentities($old, ENT_QUOTES); echo "fancy: $fancy<br>"; echo "fixed: $fixed"; Results: fancy: “test” fixed: I want $fixed to be %93test%94, or even "test" would work. Edited by rwmaho, 18 October 2014 - 01:28 PM. Hello everyone! This is my first post. I am very new to php and mysql and coding in general. It has not been made 100% clear to me as to when I should use single quotes, double quotes, and {}. From what I gather you use single quotes for literal interpretation... so if you put something like a variable in single quotes and echoed it, it would literally echo it as it is written and not the value of the variable. in double quotes, I gather that it will echo the value of the variable. as for {} I am unclear as to when to use the curly brackets for a variable. I am assuming if you had a statement in single quotes and you put a variable in curly brackets you would get the value of the variable?
Edited by LazerOrca, 25 November 2014 - 11:20 PM. I don't think I've asked this before have I?? can someone give me an internet KB that gives me all scenarios that warrant using singles or doubles? as in, wrapping values, variables, and why I need to do either, and when, etc, etc....? thanks Edited March 29 by ajetrumpetA problem has arisen which puzzles me. I have forms which save data to MySql and retrieve it, showing it as the default data in the form. Naturally I escape any quotes before sending it to the database and remove the slashes when I retrieve it. But the form HTML code shows the data like this value="$variable" which is fine when only single quotes are used in the data but causes a problem when the user uses double quotes. So data of John \"Jack\" Smith would be output as value="John "Jack" Smith" with obvious problems. If I use value='...' then that would cause problems with single quotes. I haven't seen the answer in any of my books. The only things I can think of is changing all double quotes to single before saving to DB or converting them with htmlspecialcharacters so they are no longer actual quotes. I honestly don't think salt is necessary with my system. I currently use: $password = md5(sha1(md5(sha1($_POST['password'])))); Is this good enough when it comes to storing a password, encrypted? Ok this is my script so far: Code: [Select] class User { function generateHash($password, &$saluti=null) { define('SALT_LENGTH', 15); $key = '!@#$%^&*()_+=-{}][;";/?<>.,'; if ($saluti=="") { $saluti = substr(hash('sha512', uniqid(rand(), true).$key.microtime()), 0, SALT_LENGTH); } else { $saluti = substr($saluti, 0, SALT_LENGTH); } return hash('sha512', $saluti . $key . $password); } function validate_user($username,$password) { $mysql = new Database(); $hashedPassword = generateHash($password,''); $ensure_credentials = $mysql->verify_username_and_password($username,$hashedPassword); if($ensure_credentials) { $_SESSION['auth'] == "yes"; header("Location: index.php"); } else return "That was not the correct username or password."; } } It gives me this error: Quote [05-Feb-2012 17:14:59] PHP Fatal error: Call to undefined function generatehash() in /home1/elvonica/public_html/scripts/classes/user.php on line 24 Can anyone help me solve this? which would be secured to use friends? or could we use both together? show some usage example please Hi guys, Iv been reading into password salting and im struggling to understand its purpose. From what iv read you can basic salt a password by doing the following: $salt = "randomtext"; $password = "apple"; $password = md5($password.$salt); I was wondering though, if a hacker is able to crack the md5, wont they see the password and the salt? Example: a hacker cracks the md5 to reveal applerandomtext. From applerandomtext it wont be hard for them to work out that the password is apple. So doesn't that make the idea of salting pointless? I'm still trying to figure out why I should use salt. If the bad guy knows a name and tries something like brute force shoving passwords into the log-in form until one worked how would salt help stop that? If a bad guy, God forbid, gets hold of the user names and passwords like they did phpbb(?) forums several years ago how would salt stop that? I know I may be beating this issue to death but if I have salt in the users table assigned to a user and his password now equals $stored_password = sha1($salt.$password) does this really doesn't matter? Because if the bad guy knows the user name and uses brute force or has a list of passwords from the users table that he has gotten some way. All he has to do is type in the user name and password and salt will be added automatically. Salting passwords... How can you update the salting without getting all the users to change their password? Is the salting set in stone once created? I was wondering how most people use salt or what is the order of the steps to use salt? Does the script take the new password then encrypt it then add salt and in encrypt it again, are they just added together and then encrypted or is it a combination of something like that? And I guess the de-encrypting would be the reverse. Not looking for code just the big picture. Thanks S I am currently testing a small hash idea, for say database encryption for passwords. Basically what I want to know is if this is a good or not the best method for encryption... Code: [Select] <?php $us_password = 'drowssap'; // User-Submitted Password; $salt = '))!&8d*34d763!(('; //The salt $dbs_password = '3750221c513902ff76f4ec7ffed5fa4385d2599d'; // Sha1 hash for "drowssap"+Salt; if($us_password == sha1($us_password.$salt)){ //Some other code for success here } else { //Failure code here } ?> So basically, this is an abstract example of what I'm doing... Is it any good, or what could be improved? I've also used DB-Stored salts unique to each user, so even if someone used rainbow tables ( even after failure on my part for letting them get the hash... ), and multiple users had the same password, they would only crack one, rather than all of them, since the hashes would be different due to the different salts. Just a quick question. I have heard a few people say that they store a specific (maybe random) salt string in the same row as the user that is generated when the user account is created or password is changed. But I thought one of the reasons people use hashing is so if someone managed to get hold of the database they couldn't decipher the password (like a simple md5'd string). But putting the salt string next to the username surely gives the attacker a major push in the right direction? I am not claiming to know anything, I'm just asking because I'm trying to find the best practice (Or at least a good tried and tested one). I like the idea of having a salt in a php config file, because that would mean an attacker would actually have to get your files, and if they had got that far then your pretty much screwed anyway. When a User changes his/her Email Address, should I generate a new Salt and Hash? (I am re-using the code I used for a Password Reset, and during that I generated a new Salt and Hash for security. I guess it can't hurt...) Thanks, Debbie I'm incorporating a dynamic salt into my user system, but I'm not sure how to store the salt itself. The password is hashed and added to the database, but wouldn't you need to store the salt as plain text in the database in order to verify the login later? Also, I've read that using both a dynamic and static salt is good practice. If this is the case, is the static salt simply defined within the PHP? Or is there another method to storing it? Thanks for the help Hi Guys, I wonder If I can call on this forums help once again. I am trying to add salt to my md5 password hash. However I think I am getting the syntax slightly wrong as it is not working properly. It works in the fact that when someone logs in and they have a 1 next to the member type it will direct them to the teachers page . However if no values are entered into the log in form and someone clicks log in it will still direct them to the students page when I thought it would direct them to log in failed. The code for the log in form is: Code: [Select] //Sanitize the POST values $login = clean($_POST['login']); $password = clean($_POST['password']); $salt = "salt"; $EncryptedPassword=md5($password, $salt); //Create query $qry="SELECT * FROM users WHERE username='$login' AND password='$EncryptedPassword'"; $result=mysql_query($qry); //Check whether the query was successful or not if($result) { if(mysql_num_rows($result) == 1) { //Login Successful session_regenerate_id(); $member = mysql_fetch_assoc($result); $_SESSION['SESS_MEMBER_ID'] = $member['id']; $_SESSION['SESS_FIRST_NAME'] = $member['FirstName']; $_SESSION['SESS_LAST_NAME'] = $member['LastName']; $_SESSION['SESS_LAST_NAME'] = $member['Member_Type']; session_write_close(); } //if the member has an id equal to 0 send them to the member page if($member['Member_Type'] == 0){ header("Location: Student-Page.php"); //if the member has an id equal to 1 send them to the admin page } elseif($member['Member_Type'] == 1){ header("Location: Teachers-Page.php"); } // regardless of the outcome, we need to exit, so it can be done once after both checks exit(); } else { //Login failed header("location: login-failed.php"); exit(); } In case you need it the code for the registration form where the password is originally salted upon creation is: Code: [Select] <?php //Start session session_start(); //Include database connection details require_once('config.php'); //Connect to mysql server $link = mysql_connect(DB_HOST, DB_USER ,DB_PASSWORD); if(!$link) { die('Failed to connect to server: ' . mysql_error()); } //Select database $db = mysql_select_db(DB_DATABASE); if(!$db) { die("Unable to select database"); } //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } //Sanitize the POST values $username = clean($_POST['username']); $FirstName = clean($_POST['FirstName']); $LastName = clean($_POST['LastName']); $Member_Type = clean($_POST['Member_Type']); $password = clean($_POST['password']); $Cpassword = clean($_POST['Cpassword']); $salt = "salt"; $EncryptedPassword = md5($password,$salt); //Check for duplicate login ID if($username != '') { $qry = "SELECT * FROM users WHERE username='$username'"; $result = mysql_query($qry); if($result) { if(mysql_num_rows($result) > 0) { } @mysql_free_result($result); } else { //die("query failed"); } } //Create INSERT query $qry = "INSERT INTO users(username, password, FirstName, LastName, Member_Type) VALUES('$username','$EncryptedPassword','$FirstName','$LastName','$Member_Type')"; $result = @mysql_query($qry); //Check whether the query was successful or not if($result) { header("location: register-success.php"); exit(); }else { die("Query Failed"); } ?> If someone could take a look and point me in the right direction. Also if there are any other mistakes let me know I would be very grateful. Thanks in advance. Edd |
|||||||