DWilliams Posted September 22, 2010 Share Posted September 22, 2010 Knowing that it has to be set once upon script installation and never changed, what is the most common way to handle this in redistributable scripts? Should I add a salt value in the config file and ask the user to set it, or should I generate a random value and write it to a file, or should I take a different approach entirely? Quote Link to comment Share on other sites More sharing options...
btherl Posted September 22, 2010 Share Posted September 22, 2010 I would generate it if it's not there, and store it somewhere. I'm being vague about where to store it because it really depends how your script will be used and how the salt will be used. Asking the user to make it seems like asking them to do something they don't really need to. Though you can allow them to manually override it if needed. Quote Link to comment Share on other sites More sharing options...
DWilliams Posted September 29, 2010 Author Share Posted September 29, 2010 Hmm well my script will be a small web based utility that people will run on their webservers. Simply writing a random salt value to a file in my project's base directory and reading it in when needed seems easy and functional but I see two problems with that: 1. The file will be exposed to the outside world. On unix based systems I can call chmod() on it and rectify that situation but that won't work if the end user is running a Windows server will it? 2. It adds an extra and perhaps non-obvious file to backup. If the user only backs up the database for the project and maybe the config file, they will be endlessly screwed if they lose the initial salt value. Quote Link to comment Share on other sites More sharing options...
DWilliams Posted October 30, 2010 Author Share Posted October 30, 2010 Necro bump Quote Link to comment Share on other sites More sharing options...
btherl Posted October 31, 2010 Share Posted October 31, 2010 I didn't reply earlier because I'm not sure what kind of salt you are using. How are you using the salt? Quote Link to comment Share on other sites More sharing options...
DWilliams Posted October 31, 2010 Author Share Posted October 31, 2010 I didn't reply earlier because I'm not sure what kind of salt you are using. How are you using the salt? I'm not an expert on the terminology but essentially I'm just using one string as my salt for additional password encryption. When an account is registered, I store password in the database after running it through the following function: md5($config['salt'] . $_POST['password']); And when they log in, I do the same thing with their input password. It works fine, my only problem is where to store the salt. Quote Link to comment Share on other sites More sharing options...
A1SURF.us Posted November 1, 2010 Share Posted November 1, 2010 I think I'm asking the same thing here: http://www.phpfreaks.com/forums/php-coding-help/how-does-md5-password-encryption-work/ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.