Jump to content

Mchl

Staff Alumni
  • Content Count

    8,466
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Mchl

  • Rank
    Prolific Member
  • Birthday 03/11/1982

Contact Methods

  • Website URL
    http://www.flingbits.com

Profile Information

  • Gender
    Male
  • Location
    High Memory Area
  1. Ok... so I messed up quotes with braces {} and PHP code with JS code. And to make it more elusive, it doesn't happen everytime...
  2. I got this with quotes in NB 6.8. I can swear to Rasmus it wasn't working this way in 6.7 and below.
  3. Intellisense is actually Microsoft's trademarked technology AFAIK, so you won't find it anywhere except MS IDEs. Anyway, arguments you present are like advice to use '' instead of "" for strings, because they're a bit faster. It's not going to make your script execute noticeably faster though, because most time is spend elsewhere. Same with IDE. What good is instant file opening, when I need to find missing ; or } or) now and then AFTER I have saved the file and reloaded it in browser? In NB you have these (and other) errors highlighted the instant you make them. That's where time is saved.
  4. Did you ever calculate if you earn more time not having this 0.5-1s lag on opening files than you loose by not having features like code hinting, instant syntax error finding, built-in VC tools etc.. ?
  5. I've yet to see a reason why would I want to use vim (other than being able to say I use it, just like all other cool kids do). It seems like quite a different approach than we're accustomed to see in IDEs... Ok.. downloaded, installed, now browsing the wiki
  6. I wonder how much truth is there in the story I've read somewhere of a guy, who created a working JavaScript IDE in Excel
  7. sha256 is 256 bits... - hence: 32 bytes long - expressed as hex: 64 characters long md5 is 128 bits.. - hence: 16 bytes long - expressed as hex: 32 characters long sha256 is twice as long as md5 any way you cut it. It's an understandable mistake though, it's hard to remember the length of all of these hashes. Yeah... I screwed my math big time... Not only I confused MD5 with SHA1 (which outputs 20 byte long hashes), but then I confused bytes with hexadecimal digits for SHA256
  8. sha256 hashes are 64bytes long, while md5 are 20 bytes long. Just compare the size of rainbow tables for all alphanumeric strings composed of 8 bytes. But yeah. Salting is the key for secure hashes.
  9. If the user forgets his/hers password, let your script generate a new one and send it to him. Then ask them to change it to their own. Because it will always be 128 bytes long. Defining it as CHAR(128) has two benefits. 1. When reviewing database design it is implicit information, that all data in this column will have 128 bytes. 2. I've seen some articles saying that doing index search on CHAR is a bit faster than on VARCHAR. Both of these are not really big benefits, but I like it to do it this way (mostly because of #1) Still pretty good, and 'only' 64 bytes Here's a list of all hashing functions supposrted by hash(). You might want to look them up in Wikipedia or somewhere, and choose something you like most Remember, using rare hashing function is also some security benefit (Although I'd say it's better to use something 'strong' than something 'exoctic')
  10. Why not use some less common chars in your salt? %$:"<šđČ If you're not comfortable with 128 bytes for password hash, you can use some other version of sha algorithm (there are three more to choose from). sha512 is just the strongest (of sha family) available through hash function.
  11. $hash = hash("sha512",$password.$salt); sha512 is actually pretty strong, and a bit of a overkill. It's 64bytes long. Finding a collision for it would take some time.
  12. Not necessarily. He could use mysql injection, to get contents of database, but still now nothing about salting algorithm. I had my PHPnuke hacked once (well, three times actually, but I'm talking about one particular time ), where hacker just posted all stored passwords (hashed) as a news item on front page (and as it was aggregated into RSS channel, we've had a lot of embarrassment) One more thing: If they have access to your php files, they know your database credentials. Game over
  13. mysql_real_escape_string(sha1(md5(md5(sha1(md5(sha1(sha1(md5($pass))))))))), What is that supposed to be? What are you expecting to escape? sha1() returns only hexadecimal characters. And multiple hashing gives you no better protection (some argue it's worse actually). Just use more secure hashing algorithm ( hash - choose one) and salt your passwords (and salt them good). http://phpsec.org/articles/2005/password-hashing.html
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.