Jump to content

Affix Image to Username Based on Int Value / Also Question Regarding Salting


Recommended Posts

HI everybody,

 

Okay, so I have two problems which I will outline as best I can. Any help with these issues would be very much appreciated.

 

#1. I have a 'gold' value in my 'users' table. The higher the amount the user has, the better the reward they get. As a reward for procuring gold, I want to affix images to their profile username based on the amount they have. For example, after reaching 100 gold, a single star will be affixed to their usename. After reaching 500 gold, 2 stars will be affixed, etc. I've tried a few different techniques, but I will just post my code below to demonstrate more clearly.

<?php
    if (!$_SESSION) {
									
	echo " ";
								
    } else {
									
	if ($user['gold'] >= 100) {

	    echo "<span class=\"center_text\">" . $user['username'] . "<img src=\"images/green_star_1.png\"></span>";
        }
						
        if ($user['gold'] >= 500) {
										
	    echo "<span class=\"center_text\">" . $user['username'] . "<img src=\"images/green_star_2.png\"></span>";
	}

        if ($user['gold'] >= 1000) {
										
	    echo "<span class=\"center_text\">" . $user['username'] . "<img src=\"images/green_star_3.png\"></span>";
	}
									
	if ($user['gold'] >= 2000) {
										
	    echo "<span class=\"center_text\">" . $user['username'] . "<img src=\"images/green_star_4.png\"></span>";
	}
									
	if ($user['gold'] >= 5000) {
										
	    echo "<span class=\"center_text\">" . $user['username'] . "<img src=\"images/green_star_5.png\"></span>";
	}
									
    }
?>

#2. I also have a question regarding salting passwords. Currently, I am using the 'sha1' hashing algorithm to protect my passwords, but for obvious reasons, this does not provide adequate protection. I would like to salt my passwords with that particular user's sign up date. How would I go about doing this? And how is 'sha1' rated in the world of hashing algorithms?

 

Any input to my topic would be greatly appreciated.

 

Thank you for taking the time. :)

Edited by sandbox

Your star logic seems like it should work just fine, assuming all images are of just one star and you are just printing each out next to each other.

 

You might consider setting a flag in the database for the user, instead. You could do this logic when the gold is updated and set the flag for the star number. That way, you wouldn't have to check it every time a user's information is loaded.

 

As for your hashing, sha1 is completely fine. No hash can be reversed without a rainbow table. The only reason to salt is to prevent someone from using a rainbow table to reverse a hash of a known string. As long as your salt is not a common string of characters, it is unlikely to ever be a part of a known sha1 hash. In this case, you can use the same salt for EVERY password and be safe. A changing salt consoles those who are paranoid of their salt being discovered. Since a static salt is usually in the code and the information about what dynamic salt is used would also be in the code, I find the two methods quite similar in terms of security.

1. Aren't you outputting the username multiple times too? Shouldn't it just be the stars? If you mean only one of those spans to be outputted you have to use else-ifs so that only one branch works at a time and then rearrange the branches so that the most specific (gold >= 5000) happens before the least specific (gold >= 100). Because if I have 5000 gold then I definitely have >=100 gold too.

 

2. SHA1 is less secure than it used to be. If you're redoing this then you should switch to a better algorithm like SHA512 or bcrypt. As for the salt, it should be an entirely random string - not some predetermined value already associated with the user. Yes, you do have to store the salt.

I strongly disagree with lemmin's comments that SHA1 is "completely fine" and that you "can use the same salt for every password and be safe". I can't let that go.

Sorry, I should have specified that. Each increase in stars loads a new image (e.g. *, **, ***, ****, *****), as opposed to placing one star next to the previous. As it stands, the stars are being outputted next to a new instance of the username, therefore forming something similar to this:

 

user*

user**

user***

 

In terms of the salt, I know where you're coming from with both a static and dynamic salt being in the code, but I would still prefer the latter option. How exactly would I go about using the sign up date of a user as a salt? I'm not sure on how I would implement this feature on site registration, and then log in.

 

Thanks for your time.

1. Aren't you outputting the username multiple times too? Shouldn't it just be the stars? If you mean only one of those spans to be outputted you have to use else-ifs so that only one branch works at a time and then rearrange the branches so that the most specific (gold >= 5000) happens before the least specific (gold >= 100). Because if I have 5000 gold then I definitely have >=100 gold too.

 

2. SHA1 is less secure than it used to be. If you're redoing this then you should switch to a better algorithm like SHA512 or bcrypt. As for the salt, it should be an entirely random string - not some predetermined value already associated with the user. Yes, you do have to store the salt.

I strongly disagree with lemmin's comments that SHA1 is "completely fine" and that you "can use the same salt for every password and be safe". I can't let that go.

1. Exactly! I previously tried elseif statements but without rearranging the branches, and obviously without success. Now that I followed your advice, it's working perfectly. Thank you!

 

2. I am redoing the whole thing, so SHA512 it is. I'm just unsure about how best to implement this feature, both efficiently and securely.

I strongly disagree with lemmin's comments that SHA1 is "completely fine" and that you "can use the same salt for every password and be safe". I can't let that go.

 

You are right; it is always better to take security precautions. My response was based on every-day web security. If you are worried that your sha1 hash will actually be reversed, the salt is irrelevant. If your hashes are being brute-forced, a salt is only going to make it take longer. I guess I never consider any higher-level threats unless there are actual sensitive data being stored.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.