LooieENG Posted May 10, 2008 Share Posted May 10, 2008 Is it safe to just use mysql_real_escape_string($str) or htmlentities($str, ENT_QUOTES) (or both?) before inputting data into a mysql query? It's for a username/password. (I was using ctype_alnum, but I'd like to allow more than a/n characters) Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/104954-is-this-safe/ Share on other sites More sharing options...
DarkWater Posted May 10, 2008 Share Posted May 10, 2008 Use mysql_real_escape_string() only. It's all you need. And if you md5() the password, you don't need to escape it. Quote Link to comment https://forums.phpfreaks.com/topic/104954-is-this-safe/#findComment-537231 Share on other sites More sharing options...
LooieENG Posted May 10, 2008 Author Share Posted May 10, 2008 Okay, thanks. Also, now you mention md5, are md5 and sha-1 still safe? I read somewhere they can be cracked using rainbow tables. Is sha-512 OTT? Quote Link to comment https://forums.phpfreaks.com/topic/104954-is-this-safe/#findComment-537240 Share on other sites More sharing options...
DarkWater Posted May 10, 2008 Share Posted May 10, 2008 Yes, you can crack md5 with rainbow tables. I actually have some rainbow tables lying around somewhere. But anyway, in order to actually get the chance to crack it, they'd first need to access your (hopefully) secure database. MD5 is perfectly fine for non-critical logins. Unless you're storing credit card info (which you NEVER SHOULD, and if you are, you're getting a rant), md5 is perfectly fine. Quote Link to comment https://forums.phpfreaks.com/topic/104954-is-this-safe/#findComment-537245 Share on other sites More sharing options...
LooieENG Posted May 10, 2008 Author Share Posted May 10, 2008 Okay, thanks Quote Link to comment https://forums.phpfreaks.com/topic/104954-is-this-safe/#findComment-537257 Share on other sites More sharing options...
LooieENG Posted May 10, 2008 Author Share Posted May 10, 2008 Sorry, one more thing. Should I use md5() or hash('md5', $str)? Thanks. Edit: Think I'll use sha-512. I just tested an md5 hash on one of those websites and it got it within a second :| Quote Link to comment https://forums.phpfreaks.com/topic/104954-is-this-safe/#findComment-537276 Share on other sites More sharing options...
wildteen88 Posted May 10, 2008 Share Posted May 10, 2008 Sorry, one more thing. Should I use md5() or hash('md5', $str)? Thanks. Edit: Think I'll use sha-512. I just tested an md5 hash on one of those websites and it got it within a second :| Those websites that "decrypt" md5 hashes do not actually decrypt the md5 hash. Instead they have a database set-up which stores the md5 hash to the word that corresponds to it. So when you enter your md5 hash to your very secret password, all they do is see if the hash your provided is in the database already, if it is it'll return the actual word for the hash. This is one of the the many reasons why you should also not use simple passwords. When setting a password include as many different characters as possible. For example @p1Em9C is more secure than applemac. Passwords should not be meaningful. MD5 hashes are one way encryption only. Your could use a technique called salt to make your encryptions more secure. Quote Link to comment https://forums.phpfreaks.com/topic/104954-is-this-safe/#findComment-537650 Share on other sites More sharing options...
LooieENG Posted May 10, 2008 Author Share Posted May 10, 2008 Yeah, the only problem is easily 100+ sites use this password, so I can't really change it. I'm using sha512 now. OTT, but oh well.. Quote Link to comment https://forums.phpfreaks.com/topic/104954-is-this-safe/#findComment-537753 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.