Ninjakreborn

I know the variables are but how do I access them, the entire set that has to do with information gathering, the browser, ip address, address visited from and everything else?

http://us3.php.net/manual/en/function.hash.php string hash ( string algo, string data [, bool raw_output] ) so hash("md5", $data,); question 1- should I set the 3rd parameter to true or false, when I choose the algorithm can i use it all through hash examples [code]hash("sha1", $data); hash("md4", $data); hash("sha256", $data);[/code] Is this logical, also when I look at the functions in the manual, there is no where to provide salt at, where would the salt come in.

Way too over my head [code]<?php $password = "bob"; srand( microtime( true ) ); /*Variable initialization*/ $salt_template = "0123456789ABCDEF"; // this $salt = ''; // this /*Create a random string with template of length 10*/ for ( $i = 0; $i < 10; $i++ ) // this { $salt .= substr( $salt_template, rand() % 16, 1 ); } $hash = md5( $password . $salt ) . $salt; ?>[/code] I don't understand, I see those $i = 0, X0212 whatever I see that a lot but I have never had to use anythign like that what is it, and the salt template, won't I have a build a different template for each one, or could I use the first 2 letters of the username as salt.

http://www.md5encryption.com/ http://weblogs.asp.net/pleloup/archive/2003/07/09/9851.aspx

I think encryption/decryption has it's purposes, I studied it enough, the bottom line should I store passwords in plain text to a database. If not then I can go with hash, but I saw that the function is called hash() and the first parameter is the type sha1, you could use as a type instead of a standalone function, is this true, I also read sha1 has been decrypted somewhere, i will show a link later. So if I hash something how do I match the text passwords up to see if there the same, is there anychance of it being wrong.

thanks for the advice I appreciate it, I will just use the sessions normally then.

Ok, so I will take a look at this and use it as an example, the reason I go on about encryption, is during the 3 months I studied security I learnt all kinds of attacks, before I became a programmer, I was a hacker for 10 years, I knew a lot then, and a lot of my friends had easy ways to do some of these things, making me even more afraid as a programmer.  To tell you the truth, the sessions id's I had a friend who could crack a session id in less than 20 minutes, he would listen in on the header transmissions pull the sid from the cookie, decrypt it, and use it to gain access to the current session.  There are a lot of things I learnt as a hacker, and even more I learnt from my friends, so it makes me 100 times scarder, and I feel that if I use what I use to know, the stuff I make, and the tutorials i make for other people will help them write more secure programming.

Alright then explain this and I am ready to go.  I visit a lot of sites to look around, on a regular basis, and I see a lot of them, free logins, I love in just for hte hell of it, and I end up finding out something like I can stay logged in.  I see that if I disable cookies I can't.  Then there are other sites I try the same thing, but even though cookies is disabled, I can still automatically log in each time, I have tested this from various sites in all three browsers, some of them keep you logged in for a specific amount of time, after hte session but no cookies get delivered of removed from the browser.

I have read on a lot of tutorial sites and stuff that it's best to hash your sids, when passing them, because it lowers the chances of someone trying to guess the session id to get into the existing session another thing I wanted to ask would I be stupid to rely purely on cookies for login.  So if I store the sessions in a file, and the id's in a database, that will prevent the person from having to login everytime and they still won't have to deal with cookies or anything?

Ok let me just ask the questions I don't understand, if anyone can answer it'll be appreciated. 1. Is it better to save the sessions in the files, or on a database. 2. What is the best way to handle session id's and what should I pick as session id's 3. well that's it.  except how to allow people to remain logged in ever if they don't have cookies if I choose to pass the session id through a cookie, or is this stupid, because I know a lot of people who do it.

THere are 3 ways of passing session id's, through url's through form fields, or through cookies, or database I guess.  I understand the relationship between the session and the cookie.  But I don't understand how if I store the sids in a database, how does it access that, or does each person get a different session id stored on the database on the same table as there username and password.  Like for instance when they login, I set a session and register the username/password, or whatever else, I store the sess id into the database.  So everytime they visit the site, it searches for that database to log them in automatically or something, some of this is still a little confusing and I am trying to get down sessions, encryption was pretty easy, 3 days and I know a lot about it, cookies, I created a cookie login page in 20 minutes with no experience with cookies, so that was easy as hell, but now sessions.  So do I even have a need to encrypt my passwords if it's ssh, or ssl, or whatever, because I Have that setup now.  The thing is, what if someone gets into the database, what I heard is that it's stupid to leave a plain text password stored in a database, but the crypt functions a piece of shit, the mcrypt library is severe overkill, and mysql's encode/decode functions suck anus.  There has to be another way, hash is something I can't figure out, I could probably hash something but have no idea how to compare it when they enter hte password at login, and I try to authenticate the user.

with my experience this happens a lot with percentages, try fixed width's on this see if it helps if not I have no idea.

I was wondering what is the point of using sessions to manage state for logins, you either save sids in url's or you send htem through cookies, what I see as the recommended, and safer way is cookies, but what about encrypting your session id's and decrypting them is there a point, what about if someone doesn't ahve cookies, can you use sessions like that, and still work around that or is there no point.

cookies, or sessions, to force them.

ah ok, thanks

your welcome

You can stop this easily with a number of ways with php, at the very top of the page put down VERY TOP OF THE PAGE <?php header("Cache-Control: no-cache, must-revalidate"); header("Pragma: no-cache"); header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); ?> With this you never have to worry about caching of that page again. [code]<% Response.CacheControl = "no-cache" %> <% Response.AddHeader "Pragma", "no-cache" %> <% Response.Expires = -1 %>[/code] that'll do it in asp just as a note. [code]<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">[/code] That will do it for the most part in the form of html, but it's not guaranteed. [code]header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", false); header("Pragma: no-cache");[/code] And that is a more powerful php version of it, again but this will do what the top script does, as well as preventing dynamic data in flash from caching as well.

I checked and these 2 things seem to be your only 2 viable solutions. For the table add 1 column, name it login- datetime whatever record the exact time and date they log in, then where you are displaying the data, pull the entire out of the database to display people that are online, something like assuming your table is named userinfo your date and time is labeled datetime $select = "SELECT datetime FROM userinfo SORT BY datetype LIMIT 10;"; $query = mysql_query($select); then whatever to display the results, you could probably come up with some php calculations to only pull out show the ones for the last 20 minutes, so you know that they all were atleast logged in within the past 10-20 minutes, the only other options would be flash, perl, c+, or something more advanced, or setting up a chat like system using perl, or cgi-based programming, and with that, using it on your site, or look for external programs for your server that can detect when people are connected to your site.

This can be done in 4 ways, Sessions, cookies, databasing, or putting the info in some sort of  file, flat file, or excel sheet. All you are needing to do is store a time period/ wait you are wanting instant record, to show when they are online, and when they are not. Here Create a new column in your table, label it only. then when they log on, have it automatically update that, to show online, wherever you want to display the online status pull it from the . like SELECT * FROM tablename WHERE online = 'yes'; then run that through all your queries or what not, at that time it will show yes, or no.  You can have a function or something if ($online == "yes") { } whatever int hat if, if you wanted a picture to light up when there online you would put <img src="" whatever to have it appear when they are online, or you could put echo "Online" or whatever you wanted to do, then when they log off have it kill the script and say they are offline, have it change to no in the database, you might have some problems if people don't log off, so if you want another approach You can have it log them in when they log on, well actually, I don't know, I am stumped on how to set that up, if I think of anything further I Will let you know.

Here there is no point in having difficult with this, think about it, everytime you create a contact form it's doing the same thing. Here have a form <form name="infogatherer" action="processor.php" method="post"> Have as many input fields here as you want. </form> Then say you have 3 info fields, just stick them in an email $message = " Username: {$_POST[username]} Password: {$_POST[password]} Information: {$_POST[information]} mail("email@domain.com", "This is my data", $message); You can do whatever else you want to with it, I don't know if anyone can really exploit this, just don't set it up to where a user can send you html emails.  THen you might have some problems, as long as nothing is going into a database you should be fine.

Ok this is a standard php function crypt It's not part of the mcrypt library it's just a standard php function, I studied this for awhile, and I was going to do this, but I don't know if it's documented but I think I might have found an error in this, I am going to report it as an error to php.net based on the manual, and everyoen I have asked, the traditional way to use crypt is to have them create a username and password, at the beginning take the username and password, and salt the password with the first 2 letters of the username like this note, this is assuming they already submitted the form, there username is whatever they choose, as well as there password [code]$salt = substr($username, 0, 2); $password = crypt($password, $salt);[/code]Ok this takes the password they entered, and encrypts it with the salt, then it stores it back into the password, then you feed that to the database, and it saves it. Done with encryption. Now you can't decrypt this, it's 1 way encryption. But the way you are supposed to be able to authenticate the user, or check the password he enters against his password is when they try to sign in they enter a username and password when you get the data, you do the following with whatever password they put in [code]$salt = substr($username, 0, 2); $password = crypt($password, $salt);[/code] The username is now the username they entered and the password is the encrypted form of the password they entered into the form, then you take that encrypted password, and username, run it against the database, if this encrypted password in non-encryption form was the same as there other passsword they match, if you crypt 2 words with the same salt, they are suppose to be the same, as far as the manual says.  Now so if they enter another password than there own, when it encrypts using those 2 letters it will be different than there original password, so it returns false. I found a loophole, that I want to report, not sure if it's known or not If you take some characters, and change it around it stillr eturns true, if you enter the same password for both, it returns to, great, then playing around if you change just 1 letter, or 2 letters, int eh right way, it changes it and makes it true anyway even though it wasn't suppose to be an exact match, Just trying to leave a deep warning for people using crypt for authentification, you can even try it for yourself, make the first password you create when you register 952103902 then when you check it later in another script from the password, using the username try 952103902 and it returns true, then if you decide to go ahead and test it using a few different letters just throw a random letter at the end, or change one int eh middle it's still true, insstead of false like it should be fair warning.

wierd thing here, I was using php's crypt function I did this I started with salt, the username, cut up like $salt = substr($username, 0, 2); Then I ran it through crypt $password = crypt($password, $salt) When I try to authenticate it, it's generally correct, but there are some inconsistensies, I picked a random password 952103902 and when I ran it, it matched, but if I do 95210390 it doesn't match, which is hte way it's suppose to do bt if I use 9521039025 and 1 extra letter it returns true, is this miscalculation a random occurence or something to be concern about

ok, atleast I know how now.  THe other thing is, I am doin gpasswords, reading what I should do for encryption, I am not going through all of that for that, if I ever do do credit card, or social security or whatever maybe, but for now, I know that mdhas, or sha will work, I can also use that on my sessions id's what matters is I am 72 hours smarted in encryption, I know all the types assymmetrical, symmetrical, hash, I know about mdhash, or the hash library for new functions, I know about 1 way 2way key encryption(assymmetrical, symmetrical), and hash, and about key's and saving keys, and using the htaccess to authenticate if I needed, or letting apache do it, I am general intermediate now when it comes to encryption, so I can use this knowledge later to do what I need quicker when I start, now I will hash my passwords, after I do some research on what hash functions are the best, then match it against the password, I will do the same with my sessions id's Thanks for all the help.  by the way would there be any other way to save these keys instead of having to do that. 

ah I found my problem, how do I securely store the key, this is hte problem, every time it runs through my code, it creates 1 key, if I ran the same code, even if it's the same secret sentence or word, it creates a brand new key every single time, I have to store the 1 key permanently, somewhere, and be able to pull it for the password, I need advice?  It creates 1 key per run, it encrypts each one with a different key, how do I keep these key's

ok I need a little more assistance if you can, I redid a lot of my script, I even took out the srand, I thought it was making it a little too complicated to handle.  It's easier without it, it runs smoother, I have the keys included on each page, but it's not decrypting properly, here is my include page now [code]<?php $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND); $ks = mcrypt_enc_get_key_size($td); $key = substr(sha1('bullshit'), 0, $ks); ?>[/code] here is my page that I am encrypting on, and where I am including the file at [code]$td = mcrypt_module_open(MCRYPT_RIJNDAEL_256, '', MCRYPT_MODE_CFB, ''); include '../includes/key.inc.php'; mcrypt_generic_init($td, $key, $iv); $password = mcrypt_generic($td, $password); mcrypt_generic_deinit($td); mcrypt_module_close($td);[/code] That is just a cut out of my field, I still do everything else and add the password into the database, I can see it stored in the database, then I pull it out on another page, and can see the password encrypted, but it doesn't decrypt, this is what I have [code]$select = "SELECT username, password FROM userinfo WHERE username = 'joyel';"; $query = mysql_query($select); $rows = mysql_num_rows($query); while($array = mysql_fetch_array($query)) { extract($array); $td = mcrypt_module_open(MCRYPT_RIJNDAEL_256, '', MCRYPT_MODE_CFB, ''); include './includes/key.inc.php'; mcrypt_generic_init($td, $key, $iv); $password = mdecrypt_generic($td, $password); mcrypt_generic_deinit($td); mcrypt_module_close($td); echo $password; }[/code] it remains encrypted and does not decrypt.