New Members Section

[white_2kgt]

oh, another thing... passwords are hashed i.e. I can't see them so don't worry

You need to hash, add salt, and hash again. I can crack MD5 single hash on my P4 in 1hr. Add a field to the DB (3 chars is enough) that will store the salt. Generate salt at random.

So, say they enter sEcReT when they create the account you would,
$randChars = gen3RandChars();
$hash = md5( "sEcReT" );
$hash .= $randChars;
$hash = md5( $hash );
savePassword( $username, $hash, $randChars );

Then when they login you,
$testPW = md5( $enteredPassword );
$testPW .= $randChars;
$testPW = md5( $testPW );
if( strcmp( $testPW, $hash ) ) $valid = true;
else $valid = false;

etc...

Since you are NOT using SSL for the login, may I suggest that you do the first Hash in javascript that way you are not sending the user's PW via clear text. Then you add the salt, hash and compare. The majority of your users are at JMU, on the same network. Do you have ANY idea how easy it is to sniff a network like that? You are CS, you should. Oh, they are using switches hu, well even switches can be sniffed, all you have to do is MAC flood the switch and it will default to fail open mode where all packets will be sent to all ports, just like a hub, drop the NIC in promiscuous mode and sniff away for that plain text password...


For the single quote problem, make sure magic quotes is turned off in php.ini then use the functions john suggested. Then read this
<!-- m --><a class="postlink" href="http://www.webmasterstop.com/tutorials/php-magic-quotes.shtml">http://www.webmasterstop.com/tutorials/ ... otes.shtml</a><!-- m -->
and do what is says.

--chad