El Chupacodra

Usually the character set is wrong or not set. Check and doublecheck that you have UTF8 as character set everywhere. Is that info from the database? You could run a quick SQL query to get all the character sets - the server has one and the database another. Type this as an SQL query in PHPMyAdmin or anything else you use: show variables like '%char%' It will list all your character sets. Most likely one is ISO8859.

I never saw someone have as much difficulty following a thread as you do. I've emphazised time and time again that this is NOT to find the one method - I said there is more than one. You missed mcrypt() which is also useful. Bcrypt() is also a valid alternative. Most people can make these work, but then again most people would have gotten the point long before this post. Phpass is good - that doesn't mean people don't have issues with that too: http://www.google.se/search?client=opera&rls=sv&q=phpass+problem&sourceid=opera&ie=utf-8&oe=utf-8&channel=suggest I haven't found any articles, tests or reviews that lets us compare these different methods but if you have one I'm genuinely interested in seeing it. So to spell this out as clearly as it ever will be spelled out: crypt() and mcrypt() are valid hashing tools without being BETTER than phpass. My second point was that what you wrote florida was rude and in no way helpful. Glad to see you use an analogy on the end - except I'm not talking to the mechanic, I'm talking to the next guy waiting to have his car fixed and he's telling everyone there that the problem is always the gearbox.

What happens when it's not working? The query isn't so complex you need to carry variables over so it should be pretty straightforward. If you turn this $sql = "SELECT user_name FROM $tbl_name WHERE user_level ='0' ORDER BY user_id LIMIT $start, $limit"; to $sql = "SELECT user_name FROM $tbl_name WHERE user_level ='0' ORDER BY user_id LIMIT '$start', '$limit'"; ...does it make a difference? If not - what are the errors? Can you echo your variables and the query to see if they show properly?

This is exactly why we're talking about this. Hashing is used as a defence in worst-case scenarios, and he's saying in a worst-case scenario, you're screwed. That's bad advice, and has no place in this discussion. The article does a very good job of going over the basics of password hashing, and why it's done. If you have a better article to send him to, please post it. Again, bad security advice is a no-no, and I believe you're better off educating yourself (through reading or asking) than trying to contribute something volatile you have little understanding of. Perhaps it makes me condescending, but I'm still giving good advice. It's not a bad article but carrying it around doesn't mean you are the only one who gets to post. If nothing else we got a good discussion going. You should be above belittling someone for it. 3. Google monetizes off their free service through data collection and advertising. You have to pay money to use Google's Ad service... the one that makes them billions. Please, if you want to continue this discussion, avoid trying to make analogies. They don't work. They work fine and have since way before Jesus Christ. Please explain how Openwall is going to monetize off of a class that's been released to the public domain? No license whatsoever. You think they aren't making any profit from branding? We even touched on Google's way of doing it a second ago. Openwall may have commercial interests, but those have nothing to do with PHPass or the article linked. If there is some connection, besides them residing on the same web page, please elaborate. The advertising argument is thin as well. There's plenty of opportunity to push their commercial services in the article, but it's not there. Yes. Even if it was just bragging rights it's in their interest to strenghten their brand. And there is monetary interest here. Not that it matters since my point wasn't that phpass is bad because it's not. "You want more developers?" When did I ask for developers? What did you mean then when you asked for more examples? I think the issue here is that you're simply defending floridaflatlander while trying to appear that you have information to contribute to the topic. Twofish isn't used for hashing, so it's trivial to bring up in this discussion. I tried to point that out, but I guess it needs reiterating. Again, ciphers (along with the mcrypt set of functions) are used for encryption/decryption, which is much different than hashing. Please, let me know if there's anything I can elaborate on. If you're ready to actually discuss the pro and cons of using PHPass vs other packaged solutions vs implementing native functionality on your own, I'd be happy to give my opinion. As of now, I've shown that MD5 isn't 'broken' in a password-hashing sense, and that implementing crypt manually is more complex than using PHPass. If you disagree, please explain why and please use code or sources to support your decisions. You probably won't get this but I still think people can use one of the above mentioned ways to hash their passwords. Even the encryption ones. I still say it's not about proving who is best or cracking each others passwords. I. Just. Said. There. Are. More. Ways. To. Skin. A. Cat.

Or you could just upload the image to the server and save the link in your database. You could even make two at once so you have a fullsize folder and a thumbnail folder (or both versions in the same folder).

For someone who claims superior reading comprehension you really don't see my point. Or points. Nr 1. I think phpass is good - I just said there are alternatives that are just as good. How am I not backing that up? I listed a few. There are some cases where you need to download a library and some where you don't. Nr 2. I think this part was pretty rude: That doesn't strike you as slightly condescending? Especially considering florida didn't really say anything except mention Wordpress solution (which happens to be phpass nowadays). To answer the free part - Google is also free, and making billions. There is a commercial interest in Openwall as well even if it is free. You want more developers? RSA and NIST for instance. How to implement them? They seem to work well for most people regardless of if you choose crypt(), mcrypt(), bcrypt() or phpass(). Including the many servers who still use PHP 5.1 or 5.2. As for Twofish - it was made because they felt Blowfish wasn't strong enough so someone may want that algorithm to start with. Is it a must? No, just mentioned it's available.

What I'm saying is that there are built in alternatives to phpass already. Crypt() is in PHP since PHP 4, mcrypt(), scrypt() and more all have support to do what PHPass does. Mcrypt in particular is brilliant and lets you use a number of ciphers, among them Twofish. You look too dogmatic when you say that anyone that doesn't hail Phpass doesn't understand the concept. So you read books the average person doesn't understand? Great. You can use Phpass but anyone else can use either one of the options above. Most ciphers iterate a number of times these days. Your 20,000 iterations took 2 seconds. What if you had a couple of 100,000 users logging on and off at the same time? I think most people (or say government organizations) can live with less than 20k iterations. What if someone decides to perform a DOS attack to register multiple passwords at once? I liked reading the article too, just be aware that it's one provider in a field where there are plenty. You're like the guy who bought a Ford after reading the merchandising from Ford and calling anyone who drives anything else an idiot because of what it says in your Ford material.

It's most likely what Adam is after - that $_SESSION['cart'] isn't an array. Check it with gettype() or is_array().

The link looks good. The only thing I'd add to it is that if you have a more complex query connected to a post form the variables don't carry over so to keep any additional search arguments (if any) you must parse the, separately either through hidden fields or through get variables in the URL. If you do choose the later you will have to use url_encode() and url_decode() to use that information. This might not be necessary in your case, I just mention it on the topic of pagination.

Which is why I suggest crypt() instead. It already has algorithms that do what your article suggests. You can use Blowfish with a 22 character salt and 4-31 iterations or SHA-512 (or 256) with a sixteen character salt and 1,000-999,999,999 iterations. Works just as well with less work. The reason I replied in the thread was that I just thought it was rude of you to knock people down for giving (or trying to give as you wrote to florida) advice when they don't have your flashy signature article. I think you made religion of that one article but there are plenty ways to make secure passwords. In fact it's not an unbiased article - it's the product description of Openwall's product - phpass. I agree it's a good product, I just think people should know there are others too. With less work.

You can install phpmailer (http://phpmailer.worxware.com/) on the server if that's an option, lots of people say it helps them. Also correct formatting helps a lot, and you may have to set a Sender Policy Framework (see http://www.openspf.org/). But tough spam filters will gladly stop any mails thinking they are spam.

I still think it's worth shedding light over weaknesses in md5, especially since you just link a long article. I don't want to install the software to crack it, I'm just going to go with alternatives to md5. You know, that don't have custom made programs to crack them. What I mean is, md5 is ok if you iterate the hell out of it. But there are so much easier ways out there so why?

I read your article and I only got to this part before I had to check the date on it: - "I heard that MD5 has been "broken". Shouldn't we use SHA-1 instead?" - It is true that MD5 has been broken as it relates to certain attacks (practical). SHA-1 has also been broken in certain other ways (mostly theoretical). However, neither break has anything to do with the uses of these functions for password hashing, especially not as building blocks in a higher-level hashing method. Thus, any possible reasons to move off MD5 or SHA-1 as underlying cryptographic primitives for password hashing "because of the break" are purely "political" rather than technical. (It may be easier to just phase out MD5 and SHA-1 rather than differentiate their affected vs. unaffected uses.) Go here: http://www.oxid.it/cain.html and read about a free program you can download that let's you attack specifically md5 and sha1 bruteforcing over 10 million attempts a second with a good video card. He's wrong when he thinks the reason to shy away from md5 is political. Php.net themselves also recomment using crypt() instead (see http://se2.php.net/manual/en/faq.passwords.php). It lets you use several stronger algoritms like the ones mentioned later in your article. I liked the rest of the article but I wanted to bring that part up as well.

I would also recommend you read this article on php.net: http://se2.php.net/manual/en/faq.passwords.php Modern video cards are capable of ten million password attempts a second or more so security is important.

Unless I missed it there is no call to session_start() anywhere. You need that to have session variables set and read. Put it early, definitely before any HTML is output - but in some configurations you need to have it before anything else.