Jump to content

[SOLVED] Maxlength question

limitphp

By limitphp
in PHP Coding Help

 Share

Recommended Posts

Mchl Regular Member

Mchl

Posted
Posted

The longer string you use for hashing, the lower chance there its hash will be in rainbow tables.

Seriously, do you expect any of your users using long password? If anything you should be concerned about them using too short passwords, so you should set minimum length for that. And use some good salt (good salt contains characters that are not on keyboard - definition mine)

limitphp Advanced Member

limitphp

Posted
  • Author
Posted

The longer string you use for hashing, the lower chance there its hash will be in rainbow tables.

Seriously, do you expect any of your users using long password? If anything you should be concerned about them using too short passwords, so you should set minimum length for that. And use some good salt (good salt contains characters that are not on keyboard - definition mine)

Yeah, I remember you telling me to use characters not on keyboard for salt.  I'm doing that.  Also, I am setting a minimium length.

 

Ok, so if I set a maxlength of 35, I'll be fine?

 

I can't help worrying about everything.....I worry too much.....I get stressed out and start worrying about everything.

premiso Regular Member

premiso

Posted
Posted

The longer string you use for hashing, the lower chance there its hash will be in rainbow tables.

Seriously, do you expect any of your users using long password? If anything you should be concerned about them using too short passwords, so you should set minimum length for that. And use some good salt (good salt contains characters that are not on keyboard - definition mine)

Yeah, I remember you telling me to use characters not on keyboard for salt.  I'm doing that.  Also, I am setting a minimium length.

 

Ok, so if I set a maxlength of 35, I'll be fine?

 

I can't help worrying about everything.....I worry too much.....I get stressed out and start worrying about everything.

 

imo, a password over 20 characters is too long. Chances are the user will not remember it etc. But any length of password will generate a unique hash and the chances of collision will be very slim either way. That is why MD5 is also used in CheckSUM to verify that you are downloading the correct file.

limitphp Advanced Member

limitphp

Posted
  • Author
Posted

You'll be fine with that :P

 

Chill. Remember... strength of your hashes will only be tested if your database is compromised... So take care of SQL injections :)

 

I rmember you telling me that also.  I use the real escape string and all the stuff yall told me.

 

gevans Regular Member

gevans

Posted
Posted

Personally, from my experience, any password someones going to use is one they know.... (sounds dumb, but think about it)

 

Sure set a minimum length, but let them make it as long as they want. Chances are it will never get over 10 characters, and even if it does, what's the issue?

limitphp Advanced Member

limitphp

Posted
  • Author
Posted

Personally, from my experience, any password someones going to use is one they know.... (sounds dumb, but think about it)

 

Sure set a minimum length, but let them make it as long as they want. Chances are it will never get over 10 characters, and even if it does, what's the issue?

 

What if someone puts a 200 character password or 200 character username?

 

Does a user table with maxlength for usernames, passwords, fname, lnames, etc with about 50 - 60 chacters run alot faster than a user table with a maximium with about 250 - 300 chacaters?

premiso Regular Member

premiso

Posted
Posted

Personally, from my experience, any password someones going to use is one they know.... (sounds dumb, but think about it)

 

Sure set a minimum length, but let them make it as long as they want. Chances are it will never get over 10 characters, and even if it does, what's the issue?

 

What if someone puts a 200 character password or 200 character username?

 

Does a user table with maxlength for usernames, passwords, fname, lnames, etc with about 50 - 60 chacters run alot faster than a user table with a maximium with about 250 - 300 chacaters?

 

Username should be limited.

 

For the password, it will be checked and as long as they had all the 200 characters right it would log them in. It would just be their loss cause the password could easily be forgotten, which is why I limit passwords to avoid too many password resets. User's are assumed to be stupid, so you must guide them as much as possible to avoid them getting frustrated and confused and having problems.

revraz Member

revraz

Posted
Posted

If it wouldn't be faster, do you think they would make you set a length when you create the table?

 

Lengths are there for a reason, the smaller the size, the smaller the footprint, the faster the process as well as DB size.

Mchl Regular Member

Mchl

Posted
Posted

User's are assumed to be stupid, so you must guide them as much as possible to avoid them getting frustrated and confused and having problems.

 

Imagine a website for Nobel laureates in physics. They would have to solve a set of integral matrix equations to log in... XD

limitphp Advanced Member

limitphp

Posted
  • Author
Posted

Username should be limited.

 

For the password, it will be checked and as long as they had all the 200 characters right it would log them in. It would just be their loss cause the password could easily be forgotten, which is why I limit passwords to avoid too many password resets. User's are assumed to be stupid, so you must guide them as much as possible to avoid them getting frustrated and confused and having problems.

 

What kind of max lengths do you have for usernames and fnames, lnames, ?

 

I assume since I md5 the password, I should set it as char(32) in MYSQL?

 

What about email addresses?  technically, they can be 64 + @ + 255, so 320 chacters long.

Would you set it as char(320) in MYSQL?

gevans Regular Member

gevans

Posted
Posted

Personally, from my experience, any password someones going to use is one they know.... (sounds dumb, but think about it)

 

Sure set a minimum length, but let them make it as long as they want. Chances are it will never get over 10 characters, and even if it does, what's the issue?

 

What if someone puts a 200 character password or 200 character username?

 

Does a user table with maxlength for usernames, passwords, fname, lnames, etc with about 50 - 60 chacters run alot faster than a user table with a maximium with about 250 - 300 chacaters?

 

I was talking about passwords which get hashed. No matter what they put nto that form it will always be the same length after it's been hashed :)

 

As far as usernames etc.. go, of course you're going to limit them!! lol

premiso Regular Member

premiso

Posted
Posted

If it wouldn't be faster, do you think they would make you set a length when you create the table?

 

Lengths are there for a reason, the smaller the size, the smaller the footprint, the faster the process as well as DB size.

 

An MD5 has a length of 32 characters, so that size is set I would think. As for the username portion, this would be true.

 

 

As far as max lengths for username, I do anywhere from 15-30 depending on the site. For fname and lname, I allow it to be 15 chars each just incase.

 

Email address I set at varchar(255), anything longer I take it the user is insane and should not be allowed on my website.

premiso Regular Member

premiso

Posted
Posted

 

As far as usernames etc.. go, of course you're going to limit them!! lol

 

To what?  What is a standard max length for usernames, first names, email addresses?

 

Also, since the password will be a md5 should I set it as char(32) in the table?

 

varchar(32) for the password storage.

 

There is no standard for those lengths, its your preference. Whatever you feel is a good length for them set it to that, see the above post for my preferences.

Mchl Regular Member

Mchl

Posted
Posted

 

I assume since I md5 the password, I should set it as char(32) in MYSQL?

 

What about email addresses?  technically, they can be 64 + @ + 255, so 320 chacters long.

Would you set it as char(320) in MYSQL?

 

CHAR(32) for MD5 hashes is the best

For email we discussed it here on phpfreaks sometime ago. What is the possibility that you will come across a user with 255 chars in their email? Virtually none. Limit it to something more like 64+64, and use VARCHAR not CHAR for that. Will save you some disk and memory space. If you get complaint from user with really long email addy, send them a gmail invitation.

revraz Member

revraz

Posted
Posted

If you read his actual question, it has nothing to do wth MD5 or anything else for that matter.  It has to do with how much memory and space each field takes when you set the Size.

 

Yes, MD5 takes 32 and should be set to 32, but then he branched off and asked about other things related to size, which was the question I answered.

 

If it wouldn't be faster, do you think they would make you set a length when you create the table?

 

Lengths are there for a reason, the smaller the size, the smaller the footprint, the faster the process as well as DB size.

 

An MD5 has a length of 32 characters, so that size is set I would think. As for the username portion, this would be true.

 

 

As far as max lengths for username, I do anywhere from 15-30 depending on the site. For fname and lname, I allow it to be 15 chars each just incase.

 

Email address I set at varchar(255), anything longer I take it the user is insane and should not be allowed on my website.

limitphp Advanced Member

limitphp

Posted
  • Author
Posted

If you read his actual question, it has nothing to do wth MD5 or anything else for that matter.  It has to do with how much memory and space each field takes when you set the Size.

 

Yes, MD5 takes 32 and should be set to 32, but then he branched off and asked about other things related to size, which was the question I answered.

 

 

I'm sorry.  I apprecaite the info you gave me.  I just started thinking of other things and figured I'd ask them in this thread instead of creating other threads.  I probably should have created a new thread.

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.