A Good Way To Make A Php Salt

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    A Good Way To Make A Php Salt

    Code:
    <?php
    
       #defining the class
    
         class sessionId {
       
      #defining properties
     
    public    $length = 10;
    public    $characters = "0123456789abcdefghijklmnopqrstuvwxyz";
    public    $string = " ";  
    
      #defining the salt method
    
    public function GenSaltString() {
    
      #this is where the magic happens
        
        for ($x = 0; $x < $this->length; $x++) {
            $this->string .= $this->characters[mt_rand(0,strlen($this->characters)-1)];
            $session=md5(sha1($this->string));
        $ses=strtoupper(substr($session,$x,12));
        }
    
        return $ses;
    }
    
    }

    instead of using sessions i made this simple snippet that may be handy for people that are making secured sites and dont like using sessons. it&#39;s very easy to manipulate.

    #2
    nice share, thanks
    Advertise your mobile site for FREE with AdTwirl

    Comment


      #3
      Your welcome sir, i also have a few things left to share. will do later

      Comment


        #4
        here is my code that i had used in my old site :P
        Code:
        function make_hash($UID,$PASSWORD,$SALT)
        {
            $hash = md5("$UID".$PASSWORD."".$SALT."");
            $encrypt_hash = crypt($hash);
            $encrypt_hash = md5($encrypt_hash);
            return $encrypt_hash;
        }
        
        function make_salt()
        {
            $rand = rand(0,time());
            $salt = "~!@#$%^&*()_+|".$rand ."~!@#$%^&*()_+|";
            $md5_salt = md5($salt);
            return $md5_salt;
        }
        $salty= make_salt();
        $sid= make_hash($idid,$pass,$salty);

        Comment


          #5
          nice i like it, i love to code in oop though. I also like the symbols that you used

          Comment


            #6
            here is another
            Code:
            function randomsess(){
            
                $ip = $_SERVER[&#39;HTTP_USER_AGENT&#39;];
                $br = $_SERVER[&#39;REMOTE_ADDR&#39;];
                $mix = substr(md5 (uniqid ("")),8);
                return substr(base64_encode(&#39;&#39;.time().&#39;&#39;.rand(1000000, 9999999).&#39;&#39;.$mix.&#39;&#39;.$ip.$br),0,30);
            }

            Comment


              #7
              you can also use for sessions

              Code:
              session_regenerate_id();
              Advertise your mobile site for FREE with AdTwirl

              Comment


                #8
                Code:
                function createHash($len = 20) {
                    $ret = "";
                    for ($i = 0; $i < $len; $i++)
                        $ret .= chr(mt_rand(0, 255));
                    return $ret;
                }

                Comment


                  #9
                  <div class='quotetop'>QUOTE (GumSlone @ Mar 6 2009, 07:27 PM) <{POST_SNAPBACK}></div>
                  you can also use for sessions

                  Code:
                  session_regenerate_id();
                  [/b]
                  This is

                  Code:
                  <?php
                  session_start();
                  echo session_id();
                  ?>

                  Comment


                    #10
                    Where to place these codes?

                    WapCHAT Forum Currenltly changing over to xhtml

                    My Dowloads Site

                    Comment


                      #11
                      u dont just place them anywhere, you use them to create salts. salts are extra characters that are added to the users password before creating the password hash (usually md5).

                      For example if i have a password of
                      Code:
                      linux
                      for a start thats not very secure but its also very small really, and we all kno the longer the password the harder it is to crack, add symbols into it and its even harder. so we create our salt of maybe
                      Code:
                      G7h+9k}y5F3Dx*85dH
                      this can actually just be a static salt, unless your creating individual salts for each user then those functions are a waste of time. Anyway we now have the users password and a salt, so we concat them and then md5 hash .. for example

                      Code:
                      $password = $_POST[&#39;password&#39;];
                      $salt = "G7h+9k}y5F3Dx*85dH";
                      $passhash = md5($password.$salt);
                      
                      mysql_query("INSERT INTO users(field1, field2, field3, passhash) VALUES($f1, $f2, $f3, $passhash)");
                      as you should be able to see by now, the user still only enters their password... but the script will automatically add the salt to the password before verification of it, so although the user may only use a 6 character word which is easy to guess or brute force, your script adds a salt containing lower and upper case chars, numbers and symbols, making the password say 26 chars long (if the salt is 20 chars). this is obviously a lot harder to crack and yet doesnt require the user to make their password too long or complex to remember (although it only makes it hard to crack from the hash, if someone dictionary attacks your login form for that users password, it will obviously accept linux as a valid password so its still recommended to either block users for 24 hours after 3/5 invalid login attempts or tell them to use good passwords, a salt is added security, not your only security)

                      so youve seen how a salt affects a users password. But we&#39;ve only used one salt. on a wap site this is probably perfectly fine to use the same salt for everyone.. no one ever see&#39;s the salt as its part of the php script and should never be displayed on a page. But say you&#39;ve spent ages working on security and you cant think of any more added security. well u can use a random salt for each user. This is where these functions come in good. Its just a simple case of generating a salt for each user and storing that with the users details in the database. when they login, you get the salt for that user, append it to the users POST password and verify it. simple

                      BUT adding this thinking your lavalair script is suddenly gonna be unbreakable is silly. If you havent protected your default site code, adding security on top is a waste of time. Think of it as making your paypal password complex but then writing it down on paper and leaving the paper pinned to your families pc next to your window, or more simply installing a virus and keylogger on your machine then password protecting your screen saver

                      Comment

                      Working...
                      X