Edward Posted April 1, 2007 Share Posted April 1, 2007 Hi, I'm trying to increase the security of my form by adding a random token as recommended on many sites, however when I create a variable using md5 it ruins my page and nothing after this is displayed. Here's my code so far: function form() { $token = md5(uniqid()); ?> <p><img src="images/folder_blue_level0_open.gif" width="40" height="40" alt="" border="0" align="absmiddle" />Add a Folder</p> <p>Note: You cannot create folders deeper than 3 levels.</p> <form action="<?php echo $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING']; ?>" method="post"> <p>Folder Name: <input type="text" name="name" value="<?php echo $_POST['name']; ?>" size="20" maxlength="100"><br /> Description: <input type="text" name="description" value="<?php echo $_POST['description']; ?>" size="20" maxlength="100"><br /> // Rest of form... The page loads because the tital is shown, but the page is blank. Without the md% line everything works ok. Can anyone tell me why? Link to comment Share on other sites More sharing options...
pocobueno1388 Posted April 1, 2007 Share Posted April 1, 2007 Are you using PHP 5 or above? Using - md5(uniqid()); only works with PHP5 and above. Link to comment Share on other sites More sharing options...
poirot Posted April 1, 2007 Share Posted April 1, 2007 There is probably something wrong with the code and it is outputting some kind of error and it is messing the HTML. You should try to actually see the generated source code to have a better idea, but I guess the problem lies in using uniqid() without prefix, as this works only with PHP >=5 . http://www.php.net/uniqid Link to comment Share on other sites More sharing options...
Full-Demon Posted April 1, 2007 Share Posted April 1, 2007 MD5 can be hacked easily. Hackerz made huge databases of all possible variations. You should use several encryptions together. Although this is off-topic, I would like to remind you of that. Full-Demon Link to comment Share on other sites More sharing options...
poirot Posted April 1, 2007 Share Posted April 1, 2007 MD5 can be hacked easily. Hackerz made huge databases of all possible variations. You should use several encryptions together. Although this is off-topic, I would like to remind you of that. Full-Demon He's using it for tokens. Link to comment Share on other sites More sharing options...
neel_basu Posted April 1, 2007 Share Posted April 1, 2007 Use this function to Hash it <?php function hash_it($str) { return base64_encode(bin2hex(mhash(MHASH_SHA1, $str))); } echo hash_it("String"); ?> You can also use MHASH_SHA512 here Actually I am just copy pasting the function from UMS Class Link to comment Share on other sites More sharing options...
pocobueno1388 Posted April 1, 2007 Share Posted April 1, 2007 neel_basu - The problem there is they would have to insert a string. Maybe you could use microtime to create an ID? Link to comment Share on other sites More sharing options...
neel_basu Posted April 1, 2007 Share Posted April 1, 2007 neel_basu - The problem there is they would have to insert a string. Maybe you could use microtime to create an ID? Are you talking about mCrypt ?? When you are using SHA algo. Why do you need that microtime ?? I didn't understand. Link to comment Share on other sites More sharing options...
otuatail Posted April 1, 2007 Share Posted April 1, 2007 I have playe with this. The way I sorted it out was to use a session variable and the unix date stamp as this is unique to the second, merging this with ID's etc. works for me. this is what I used, but this is only part of it. function codec() { $stamp1 = time(); $stamp2 = strtotime("1 January 2006"); $stamp3 = $stamp1 - $stamp2 + 100000000; $stamp3 = substr($stamp3 , -6); return $stamp3; } Php $key = codec(); $_SESSION['Core'] = $key; $_SESSION['Base'] = $key . $ID; Admitadly Sessions do time out but that's not a problem. Desmond. Link to comment Share on other sites More sharing options...
Edward Posted April 3, 2007 Author Share Posted April 3, 2007 I'm using PHP 5.1.6 on my local server. I need to create a secure token for a log in, and as soon as I set a sesion variable, the code breaks, I've stripped it down to try and find the problem but I can't see anything wrong?.. <doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equiv=content-type content="text/html; charset=iso-8859-1" /> <meta name="keywords" content="KEYWORDS" /> <meta name="description" content="CONTENT" /> <title>FTP</title> <link href="css/global.css" rel="stylesheet" type="text/css" /> <link rel="Shortcut Icon" href="favicon.ico" /> </head> <body bgcolor="#FFFFFF" marginwidth="0" marginheight="0" leftmargin="0" topmargin="0"> <?php session_start(); $token = md5(uniqid(rand(), TRUE)); // creates a random string of lowercase letters and numbers, 32 characters long - PHP5 or above! $_SESSION['token'] = $token; //$_SESSION['token_time'] = time(); ?> </body> </html> I'm seeing: Parse error: syntax error, unexpected T_STRING in /home/beat0001/public_html/test.php on line 14 Link to comment Share on other sites More sharing options...
neel_basu Posted April 4, 2007 Share Posted April 4, 2007 Whats on line number 14. the code block you have posted doesn't contain any SYNTAX ERRORS. But Dont make any output before session_start(). Use session_start(). on the very first line. Link to comment Share on other sites More sharing options...
kenrbnsn Posted April 4, 2007 Share Posted April 4, 2007 This modification of your code works fine: <?php session_start(); $token = md5(uniqid(rand(), TRUE)); // creates a random string of lowercase letters and numbers, 32 characters long - PHP5 or above! $_SESSION['token'] = $token; $_SESSION['token_time'] = time(); ?> <!DOCTYPE html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <html> <head> <meta http-equiv=content-type content="text/html; charset=iso-8859-1" /> <meta name="keywords" content="KEYWORDS" /> <meta name="description" content="CONTENT" /> <title>FTP</title> <style type="text/css"> body, html { background-color: #ffffff; margin: 0; } </style> </head> <body> This is a test <?php echo '<pre>' . print_r($_SESSION,true) . '</pre>'; ?> </body> </html> Notice, I moved the "session_start()" to the very beginning of the script. Ken Link to comment Share on other sites More sharing options...
neel_basu Posted April 4, 2007 Share Posted April 4, 2007 Ya now its ok Link to comment Share on other sites More sharing options...
Psycho Posted April 4, 2007 Share Posted April 4, 2007 MD5 can be hacked easily. Hackerz made huge databases of all possible variations. You should use several encryptions together. Although this is off-topic, I would like to remind you of that. Full-Demon You don't seem to understand the difference between a hash and an encryption method. There was never any "mystery" concerning the possible variations - there are a finite number of possible MD5 hashes. Those databases of MD5 values are not reliable because there is no 1 to 1 correlation between a value and an MD5 hash. If it is so easy to hack, please tell me what value I used to generate this MD5 hash: af338e4dd743d8897eea5420f20c46c0 Link to comment Share on other sites More sharing options...
neel_basu Posted April 4, 2007 Share Posted April 4, 2007 No Sometimes it can be decrypted (Guessed). It doesn't matters wheather its easy or hard to decrypt it. The matter is as it can be decryptrd its not safe. Link to comment Share on other sites More sharing options...
Psycho Posted April 4, 2007 Share Posted April 4, 2007 MD5 is NOT encryption, therefore it cannot be "decrypted". There is no 1 to 1 correllation between a value and it's MD5 hash. Encryption and Hashes are two entirely differnt things. Anyone can create a database of values and their respective Hash values for any schema. That is why 1) developers should use a salt when creating their hashes and 2) users should use "strong" passwords. Again, I challenge anyone to tell me the value I used to create the hash above. Link to comment Share on other sites More sharing options...
neel_basu Posted April 4, 2007 Share Posted April 4, 2007 PLease Confirm did you made that hash with characters and numbers only or also with symbols Link to comment Share on other sites More sharing options...
Psycho Posted April 4, 2007 Share Posted April 4, 2007 PLease Confirm did you made that hash with characters and numbers only or also with symbols If you were a hacker would I tell you? Ok, I'll make it easy on you. It was made with letters and spaces only. Link to comment Share on other sites More sharing options...
freakus_maximus Posted April 4, 2007 Share Posted April 4, 2007 This is my password : thisismypassword This is the md5 hash for my password : 31435008693ce6976f45dedc5532e2c1 This is my password and and my salt : thisismypassword!&%$123! This is my md5 hash with my salt: 3786059017b50b6752e204025a5bc8ce Your salt is added to help mix it up. Unless someone knows your salt then having your password is meaninless. So, where does my salt come from? Easy, I make it up, keeping it random and as obscure as possible. As a side note, I prefer to use a pass phrase as opposed to a pass word. This again adds to the complexity. Even if you have a db with every word in the dictionary and its corrosponding md5 hash, so what. If I am using a phrase and my salt it still it still be enough to buy you a cup of coffee. Nothing is 100%, but this makes it just that much more difficult. Link to comment Share on other sites More sharing options...
hitman6003 Posted April 4, 2007 Share Posted April 4, 2007 The only known "hack" for md5 is to find a collision for a given hash. This means that rather than trying a reverse lookup for a hash, to find another phrase that generates the same hash. Which is grand and all...apparently some people have found a way to do it in less than 60 seconds (http://cryptography.hyperlink.cz/MD5_collisions.html), however, none of that matters if they don't know what the hash is to begin with. So, in order for someone to gain access to the password protected content, they would have to gain access to the database, retrieve that user's password hash, find a collision, then use it to gain access...which begs the question, why go to the trouble of finding the collision if they have access to the database anyway? More information can be found here: http://en.wikipedia.org/wiki/MD5 http://www.unixwiz.net/techtips/iguide-crypto-hashes.html http://www.cryptography.com/cnews/hash.html Link to comment Share on other sites More sharing options...
neel_basu Posted April 5, 2007 Share Posted April 5, 2007 No Its Week according to logic of maths and probability and statistics. Look there is a finite and limited number of md5 hashes. Let the number is n. So if there is n+1 visitors in your system their Hashes will be equal although their password is different. So one can access anothers account with different password. Link to comment Share on other sites More sharing options...
hitman6003 Posted April 5, 2007 Share Posted April 5, 2007 Well, lets do some simple math here...md5 is a 128 bit hash. This means that there is 2^128 possible hashes...which I think comes to something like 3.4028 * 10^38 possible hashes. So, unless there are something along the lines of many billion billion billion users to a website, it's not going to happen. To put it another way, you, your parents, your grandparents, your dog, his parents, and his grandparents all have a better chance of winning every lottery in the world, at the exact same time, than finding a collision "by chance". Link to comment Share on other sites More sharing options...
neel_basu Posted April 5, 2007 Share Posted April 5, 2007 But what you told simple math its NOT IMPOSSIBLE according to mathamatics. msn Uses SHA1 Link to comment Share on other sites More sharing options...
hitman6003 Posted April 5, 2007 Share Posted April 5, 2007 Yep, anything is possible...in fact I just won the lottery, was struck by lightning, and hit by a meteorite...all at the very same instant...and it's half price snow cone day in hell...and the devil is giving free sleigh rides...and the ice cube safely traversed hell's fire fields. It's all mathematically possible. Good luck with that whole "hacking" md5 thing....... Link to comment Share on other sites More sharing options...
Psycho Posted April 5, 2007 Share Posted April 5, 2007 But what you told simple math its NOT IMPOSSIBLE according to mathamatics. msn Uses SHA1 Yes, it is "possible", but you must consider that there is a finite number of possible passwords. A site will limit the minimum and maximum length for a password and there is only a certain number of characters that will be allowed for a password (i.e. no accented characters). That coupled with the fact that the password hash must be associated with the username the odds of someone using the wrong password to access an account are so statistically improbably that it would realistically be considered impossible. I'm still waiting for the string I used to create the hash above since MD5 is so easy to crack. I'll even give you the number of characters: 44. You have WAY more information than any cracker would, but I still bet you will not determine the original value. Link to comment Share on other sites More sharing options...
Recommended Posts