Comments on: Building Browsergames: Securing our hashes (PHP)

By: Valerio De Camillis

Valerio De Camillis — Wed, 24 Aug 2011 21:44:49 +0000

Well, this post is 2 years old now, but still for those reading it now: this is not the proper way of storing salted hashes.

The real purpose of salt is to render hashes of the same password different from each other so that if two users have the same password their hashed values would still look different.

A proper implementation would add a random salt generated on the fly for each user, and store that value in a 'salt' column in the db.

Then you can compute the proper hash fetching the salt associated with the username, then joining it with the password the user typed in.

Disqus is too laggy today for me to write proper code, but i doubt anyone will be reading this anyway.

By: binni

binni — Thu, 15 Oct 2009 07:34:46 +0000

I meailing this to my friend he has got great interest in this.

Have a nice day
paul
______________________________________________
Medical Alarm | href="http://www.SMARTSOURCENEWS.com " target="_blank">pass a drug test | href="http://www.PASS-ALL-DRUG-TEST.com " target="_blank">pass marijuana drug test

By: max191

max191 — Mon, 05 Oct 2009 08:08:27 +0000

I would just say one thing to you and that is, â€œFANTASTICâ€!! Keep it up and wish to get more details from your blog.
regards
charcoal grill

By: MrLollige

MrLollige — Sat, 14 Mar 2009 18:05:48 +0000

Ah ok .
Anyway, my salt (which I made before I read this thanks to the user comments on other pages) is short, and I probably do not need it anywhere else than on the login and register page.
Thanks for your reply!

By: Luke

Luke — Sat, 14 Mar 2009 17:12:13 +0000

The benefits of turning it into a configuration value aren't so much in
securing it, as they are in not repeating it everywhere – if your salt is
'thequickbrownfoxjumpedoverthelazydog', do you really want to type that
everytime you need it?

By: MrLollige

MrLollige — Sat, 14 Mar 2009 16:13:10 +0000

you could(and probably should) turn the salt into a configuration parameter

Why? I mean, if I change the salt value (if someone figured it and modified his dictionary to it), noone would be able to login any more….

By: Chris Hepner

Chris Hepner — Sun, 30 Nov 2008 23:08:12 +0000

It doesn't matter much, but it isn't necessary to nest the md5() function within mysql_real_escape_string() as you will never have to escape a hexadecimal string.

While it usually works regardless, HTTP/1.1 requires you to use an absolute URL in header redirects. Example from php manual below:

/* Redirect to a different page in the current directory that was requested */
$host = $_SERVER['HTTP_HOST'];
$uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\');
$extra = 'mypage.php';
header("Location: http://$host$uri/$extra");
exit();