SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Addict Shantra's Avatar
    Join Date
    Feb 2001
    Location
    Norway
    Posts
    224
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Security and use of many table fields in mySQL

    I have installed a great membership script from PHPfreaks http://www.phpfreaks.com/tutorials/40/0.php that uses MD5 hashing. But I have read somewhere that SHA-1 hashing is much safer. But everything is relative, I guess.
    Is it realy need for this extra security and if so, would it be difficult to change the code (MD5 to SHA-1)?

    Also, I am making a script that has a member part that uses a LOT of mySQL table fields (60-70), mostly using the tinyint. This contains a users login info (small part) and their profile (biggest part). The profile info is not always needed. Would it be wise to split those two parts or can it handle 60-70 fields with no problem?

    Thanks!

  2. #2
    SitePoint Evangelist Andrewaclt's Avatar
    Join Date
    Dec 2003
    Location
    Raleigh, NC
    Posts
    535
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What hash length are you using for MD5? Rather than changing algos. why not just increase the length?

    Most 'hackers' are not really going to waste the time trying to crack your site. There are sites with almost no security that are easier targets. However, ifyou deal with a lot of sensative data, I don't see why adding more security would be a bad idea. You can never be too safe.

  3. #3
    SitePoint Addict Shantra's Avatar
    Join Date
    Feb 2001
    Location
    Norway
    Posts
    224
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I not quite sure where I can find the hash length, but is it in this code:

    PHP Code:
    function makeRandomPassword() {
      
    $salt "abchefghjkmnpqrstuvwxyz0123456789";
      
    srand((double)microtime()*1000000); 
          
    $i 0;
          while (
    $i <= 7) {
                
    $num rand() % 33;
                
    $tmp substr($salt$num1);
                
    $pass $pass $tmp;
                
    $i++;
          }
          return 
    $pass;
    }

    $random_password makeRandomPassword();

    $db_password md5($random_password); 

  4. #4
    SitePoint Guru
    Join Date
    Aug 2001
    Location
    Amsterdam
    Posts
    788
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Andrewaclt
    However, ifyou deal with a lot of sensative data, I don't see why adding more security would be a bad idea. You can never be too safe.
    If there really is a need for security start with using ssl ... That should be the first step to secure data transfer ... then start changing your md5 to a longer or other encryption...
    the neigbours (free) WIFI makes it just a little more fun

  5. #5
    SitePoint Addict Shantra's Avatar
    Join Date
    Feb 2001
    Location
    Norway
    Posts
    224
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, as far as going for SSL is not needed. But how do I change the MD5 hash length?

  6. #6
    No. Phil.Roberts's Avatar
    Join Date
    May 2001
    Location
    Nottingham, UK
    Posts
    1,142
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Shantra
    Well, as far as going for SSL is not needed. But how do I change the MD5 hash length?
    You can't. MD5 is always 32bytes, or characters, long. SHA-1 is 42, which is why it's considered "safer".

  7. #7
    SitePoint Addict Shantra's Avatar
    Join Date
    Feb 2001
    Location
    Norway
    Posts
    224
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Then I'm back to the original questions

  8. #8
    SitePoint Evangelist Andrewaclt's Avatar
    Join Date
    Dec 2003
    Location
    Raleigh, NC
    Posts
    535
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can have md5 greater than 32 bits, 128 are common. I am just not aware on how to do such thing in php...

    Nobody can decide if you need to increase the security of the site better than you. Have you had a large number of attempts 'breakins' recently? Do you hold vast amounts of sensative data? Does the added overhead(if any) outweight the cost of adding more security? (Will users notice a preformance change?)

  9. #9
    SitePoint Addict Shantra's Avatar
    Join Date
    Feb 2001
    Location
    Norway
    Posts
    224
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Andrewaclt
    Nobody can decide if you need to increase the security of the site better than you. Have you had a large number of attempts 'breakins' recently? Do you hold vast amounts of sensative data? Does the added overhead(if any) outweight the cost of adding more security? (Will users notice a preformance change?)
    This is why I ask before I start the site.

    But again, does anyone have any comments about my original questions?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •