sandbox Posted April 18, 2013 Share Posted April 18, 2013 (edited) HI everybody, Okay, so I have two problems which I will outline as best I can. Any help with these issues would be very much appreciated. #1. I have a 'gold' value in my 'users' table. The higher the amount the user has, the better the reward they get. As a reward for procuring gold, I want to affix images to their profile username based on the amount they have. For example, after reaching 100 gold, a single star will be affixed to their usename. After reaching 500 gold, 2 stars will be affixed, etc. I've tried a few different techniques, but I will just post my code below to demonstrate more clearly. <?php if (!$_SESSION) { echo " "; } else { if ($user['gold'] >= 100) { echo "<span class=\"center_text\">" . $user['username'] . "<img src=\"images/green_star_1.png\"></span>"; } if ($user['gold'] >= 500) { echo "<span class=\"center_text\">" . $user['username'] . "<img src=\"images/green_star_2.png\"></span>"; } if ($user['gold'] >= 1000) { echo "<span class=\"center_text\">" . $user['username'] . "<img src=\"images/green_star_3.png\"></span>"; } if ($user['gold'] >= 2000) { echo "<span class=\"center_text\">" . $user['username'] . "<img src=\"images/green_star_4.png\"></span>"; } if ($user['gold'] >= 5000) { echo "<span class=\"center_text\">" . $user['username'] . "<img src=\"images/green_star_5.png\"></span>"; } } ?> #2. I also have a question regarding salting passwords. Currently, I am using the 'sha1' hashing algorithm to protect my passwords, but for obvious reasons, this does not provide adequate protection. I would like to salt my passwords with that particular user's sign up date. How would I go about doing this? And how is 'sha1' rated in the world of hashing algorithms? Any input to my topic would be greatly appreciated. Thank you for taking the time. Edited April 18, 2013 by sandbox Quote Link to comment Share on other sites More sharing options...
lemmin Posted April 18, 2013 Share Posted April 18, 2013 Your star logic seems like it should work just fine, assuming all images are of just one star and you are just printing each out next to each other. You might consider setting a flag in the database for the user, instead. You could do this logic when the gold is updated and set the flag for the star number. That way, you wouldn't have to check it every time a user's information is loaded. As for your hashing, sha1 is completely fine. No hash can be reversed without a rainbow table. The only reason to salt is to prevent someone from using a rainbow table to reverse a hash of a known string. As long as your salt is not a common string of characters, it is unlikely to ever be a part of a known sha1 hash. In this case, you can use the same salt for EVERY password and be safe. A changing salt consoles those who are paranoid of their salt being discovered. Since a static salt is usually in the code and the information about what dynamic salt is used would also be in the code, I find the two methods quite similar in terms of security. Quote Link to comment Share on other sites More sharing options...
requinix Posted April 18, 2013 Share Posted April 18, 2013 1. Aren't you outputting the username multiple times too? Shouldn't it just be the stars? If you mean only one of those spans to be outputted you have to use else-ifs so that only one branch works at a time and then rearrange the branches so that the most specific (gold >= 5000) happens before the least specific (gold >= 100). Because if I have 5000 gold then I definitely have >=100 gold too. 2. SHA1 is less secure than it used to be. If you're redoing this then you should switch to a better algorithm like SHA512 or bcrypt. As for the salt, it should be an entirely random string - not some predetermined value already associated with the user. Yes, you do have to store the salt. I strongly disagree with lemmin's comments that SHA1 is "completely fine" and that you "can use the same salt for every password and be safe". I can't let that go. Quote Link to comment Share on other sites More sharing options...
sandbox Posted April 18, 2013 Author Share Posted April 18, 2013 Sorry, I should have specified that. Each increase in stars loads a new image (e.g. *, **, ***, ****, *****), as opposed to placing one star next to the previous. As it stands, the stars are being outputted next to a new instance of the username, therefore forming something similar to this: user* user** user*** In terms of the salt, I know where you're coming from with both a static and dynamic salt being in the code, but I would still prefer the latter option. How exactly would I go about using the sign up date of a user as a salt? I'm not sure on how I would implement this feature on site registration, and then log in. Thanks for your time. Quote Link to comment Share on other sites More sharing options...
sandbox Posted April 18, 2013 Author Share Posted April 18, 2013 1. Aren't you outputting the username multiple times too? Shouldn't it just be the stars? If you mean only one of those spans to be outputted you have to use else-ifs so that only one branch works at a time and then rearrange the branches so that the most specific (gold >= 5000) happens before the least specific (gold >= 100). Because if I have 5000 gold then I definitely have >=100 gold too. 2. SHA1 is less secure than it used to be. If you're redoing this then you should switch to a better algorithm like SHA512 or bcrypt. As for the salt, it should be an entirely random string - not some predetermined value already associated with the user. Yes, you do have to store the salt. I strongly disagree with lemmin's comments that SHA1 is "completely fine" and that you "can use the same salt for every password and be safe". I can't let that go. 1. Exactly! I previously tried elseif statements but without rearranging the branches, and obviously without success. Now that I followed your advice, it's working perfectly. Thank you! 2. I am redoing the whole thing, so SHA512 it is. I'm just unsure about how best to implement this feature, both efficiently and securely. Quote Link to comment Share on other sites More sharing options...
lemmin Posted April 18, 2013 Share Posted April 18, 2013 I strongly disagree with lemmin's comments that SHA1 is "completely fine" and that you "can use the same salt for every password and be safe". I can't let that go. You are right; it is always better to take security precautions. My response was based on every-day web security. If you are worried that your sha1 hash will actually be reversed, the salt is irrelevant. If your hashes are being brute-forced, a salt is only going to make it take longer. I guess I never consider any higher-level threats unless there are actual sensitive data being stored. Quote Link to comment Share on other sites More sharing options...
sandbox Posted April 19, 2013 Author Share Posted April 19, 2013 Issue #2 is still at hand. Any help would be much appreciated... Everybody in bed? Quote Link to comment Share on other sites More sharing options...
lemmin Posted April 19, 2013 Share Posted April 19, 2013 You can store the signup date for the user and then concatenate it to the password before hashing it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.