<?PHP questions that don\\'t need their own thread ?>

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > <?PHP questions that don\\'t need their own thread ?>

«‹›223 »

Tad Naff: Jul 8, 2004; _{I told you you'd be sorry buying an emoticon, but no, you were hung over. Well look at you now. It's not catching on at all!}

Knyteguy posted:

Is that Tech 9 in your avatar?

Also you can actually get some pretty good hosting for :5bucks: a month if you look around. If you use like a Litespeed, Nginx+Apache, or (maybe) Apache+Varnish host, you probably won't have problems with your website going down like ever, unless the concurrent connections just get crazy on a highly unoptimized website. Or if you run out of bandwidth.

It's Thelonious Monk... but anyhow my days of being reddited and boinged and stumbled are over for the moment. When that was going on, it was a Wordpress site, uncached, running on Apache, with ~10 ajax requests per pageview. They advertise unlimited bandwidth, but when that sort of traffic happens to you they shut you down right fast. Since those days I have got myself a job with a lot of bandwidth and have learned the joy of nginx, but I still keep my HostPapa domains around (anyone interested in "terrifi.ca"?)

# ? Jan 18, 2012 07:31

Adbot: ADBOT LOVES YOU

# ? Jun 6, 2024 19:41

stoops: Jun 11, 2001

I know cakephp is not the framework to get into, but I'm on a project that is using it. Can anyone recommend me a solid forums group to ask questions when I run into problems?

I think my problem is pretty basic, but i'm having a hard time conveying it or even showing code, because of all the places i have to make changes to(controllers, views, routes).

# ? Jan 18, 2012 19:19

IT Guy: Jan 12, 2010; You people drink like you don't want to live!

I'm using DataTables with an ajax data source which is a JSON array of objects.

One of my problems is that I'm trying to return HTML on one of the values so that it is a link in my table instead of text. The problem is that json_encode() escapes slashes. to counter this I did:

php:

<?
$contracts = json_encode($contracts);
echo stripslashes($contracts);
?>

Is this safe? I'm using PHP 5.3.9 so JSON_UNESCAPED_SLASHES is not available to me (5.4).

I'm very lovely when it comes to keeping things safe and escaped but I want the value to be a link.

# ? Jan 18, 2012 19:36

NO FUCK YOU DAD: Oct 23, 2008

Does anyone here use Zend? I'm trying to preserve newlines in text inserted into a database and they're passed through fine right until they hit the part where they actually get inserted, where it looks like Zend_Db's adapter automatically converts them all to <br/>s.

I've been up and down the code to no avail and the Zend documentation isn't particularly useful; is this standard behaviour, and can it be easily switched off?

# ? Jan 18, 2012 23:54

McGlockenshire: Dec 16, 2005; GOLLOCKS!

I've used Zend_Db in a few things and have never seen that behavior, ever.

Can you provide a reduced test case?

# ? Jan 19, 2012 01:16

NO FUCK YOU DAD: Oct 23, 2008

McGlockenshire posted:

I've used Zend_Db in a few things and have never seen that behavior, ever.

Can you provide a reduced test case?

Ah, not default behaviour then. It's probably something my predecessor left in a hook somewhere, I'll just have to look harder. I spent most of yesterday making sure his SQL actually went though the adapter instead of doing all the hard work in Zend then dumping the data in pretty much raw, which is probably something he did to work around whatever he's hosed up elsewhere.

Thanks anyway. If I can't track it down I'll come back with a test case.

# ? Jan 19, 2012 08:45

stoops: Jun 11, 2001

I'm using cake php and I'm trying to link an image to another image with lightbox.

code:


<?php
echo $this->Html->image('image.jpg', array('url' => '/' . IMAGES_URL . 'image_big.jpg')); 
?>

The above code works to link the image. But I need to add a "rel=" to the href so i can initiate lightbox. I tried adding to the array beside 'url', but it only put the "rel=" on the image itself and not the link, where i need it.

Any help is appreciated

# ? Jan 20, 2012 17:52

Scaramouche: Mar 26, 2001; SPACE FACE! SPACE FACE!

Any exploit experts in the house? I'm helping someone else now who keeps getting their personal website 'hacked', but I'm pretty sure it's just some automated script someone is running somewhere. They're on:
- cPanel 11.30.5 (build 6)
- Apache 2.0.63
- PHP 5.2.14
- MySQL 5.0.92-community
- Perl 5.8.8
- RHEL5 2.6.18-194.11.3.el5

The 'hack' is that once a month (same day 3 months so far) someone gets in somehow and makes a 'flickr.com' and 'blogger.com' folder in the public_html root. Then, 3 days later, if those directories still exist, they'll insert some files that allow them to 1) upload their own files (in flickr.com) and 2)make database queries (in blogger.com). These appear to be .gifs/.jpgs using some kind of mime type exploit with commands base64 encoded at the end of the binary file. In a way I don't care about the latter part, because I want to stop them from making the files/folders in the first place.

I'm pretty good with (Windows+.Net) security, but am pretty well out to sea on this Lunix/php stuff. What I've done (based on googling around):
1. Moved the admin code for cPanel into a different directory and reset the permissions
2. Changed the password on the 'main' cpanel account (they were using it as their FTP account. Over wireless.), made separate new FTP accounts so the 'main' cpanel account is never used over cleartext again
3. Checked all files modified past date (x) (nothing related found)
4. Checked all database rows modified past date (x) (nothing related found)

Since I've done this the two folders have appeared again, same day as the previous two months. Has anyone run across this before?

# ? Jan 21, 2012 09:01

SubG: Aug 19, 2004; It's a hard world for little things.

Scaramouche posted:

Any exploit experts in the house? I'm helping someone else now who keeps getting their personal website 'hacked', but I'm pretty sure it's just some automated script someone is running somewhere.

Sounds like it might be the timthumb.php vulnerability. More information here. The link contains details about remediation.

# ? Jan 21, 2012 09:39

Scaramouche: Mar 26, 2001; SPACE FACE! SPACE FACE!

I found that pretty early on (when looking up base64 image exploits) but Timthumb was never used on this system. Also, that part seems to come after; after they're able to make these folders.

# ? Jan 21, 2012 09:54

geonetix: Mar 6, 2011

What "website" is running on the host?

By this I mean: what software is exposed on the internet. Some website-thingies are built horribly and allow for tons of security flaws; like uploads with faked filenames ("../../../index.php" for example) etc etc. So make sure it's set up right and you know what software is running. Many web-software things are vulnerable to nonsense like this.

geonetix fucked around with this message at 10:57 on Jan 23, 2012

# ? Jan 21, 2012 10:30

Acer Pilot: Feb 17, 2007; put the 'the' in therapist

Scaramouche posted:

Any exploit experts in the house? I'm helping someone else now who keeps getting their personal website 'hacked', but I'm pretty sure it's just some automated script someone is running somewhere. They're on:
- cPanel 11.30.5 (build 6)
- Apache 2.0.63
- PHP 5.2.14
- MySQL 5.0.92-community
- Perl 5.8.8
- RHEL5 2.6.18-194.11.3.el5

The 'hack' is that once a month (same day 3 months so far) someone gets in somehow and makes a 'flickr.com' and 'blogger.com' folder in the public_html root. Then, 3 days later, if those directories still exist, they'll insert some files that allow them to 1) upload their own files (in flickr.com) and 2)make database queries (in blogger.com). These appear to be .gifs/.jpgs using some kind of mime type exploit with commands base64 encoded at the end of the binary file. In a way I don't care about the latter part, because I want to stop them from making the files/folders in the first place.

I'm pretty good with (Windows+.Net) security, but am pretty well out to sea on this Lunix/php stuff. What I've done (based on googling around):
1. Moved the admin code for cPanel into a different directory and reset the permissions
2. Changed the password on the 'main' cpanel account (they were using it as their FTP account. Over wireless.), made separate new FTP accounts so the 'main' cpanel account is never used over cleartext again
3. Checked all files modified past date (x) (nothing related found)
4. Checked all database rows modified past date (x) (nothing related found)

Since I've done this the two folders have appeared again, same day as the previous two months. Has anyone run across this before?

Did your friend actually clean out or re-image the server after getting hacked? There might still be something on there.

# ? Jan 23, 2012 01:54

Bob Morales: Aug 18, 2006; ~~Just wear the fucking mask, Bob~~

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!

Scaramouche posted:

Any exploit experts in the house? I'm helping someone else now who keeps getting their personal website 'hacked', but I'm pretty sure it's just some automated script someone is running somewhere. They're on:
- cPanel 11.30.5 (build 6)
- Apache 2.0.63
- PHP 5.2.14
- MySQL 5.0.92-community
- Perl 5.8.8
- RHEL5 2.6.18-194.11.3.el5

The 'hack' is that once a month (same day 3 months so far) someone gets in somehow and makes a 'flickr.com' and 'blogger.com' folder in the public_html root. Then, 3 days later, if those directories still exist, they'll insert some files that allow them to 1) upload their own files (in flickr.com) and 2)make database queries (in blogger.com). These appear to be .gifs/.jpgs using some kind of mime type exploit with commands base64 encoded at the end of the binary file. In a way I don't care about the latter part, because I want to stop them from making the files/folders in the first place.

I'm pretty good with (Windows+.Net) security, but am pretty well out to sea on this Lunix/php stuff. What I've done (based on googling around):
1. Moved the admin code for cPanel into a different directory and reset the permissions
2. Changed the password on the 'main' cpanel account (they were using it as their FTP account. Over wireless.), made separate new FTP accounts so the 'main' cpanel account is never used over cleartext again
3. Checked all files modified past date (x) (nothing related found)
4. Checked all database rows modified past date (x) (nothing related found)

Since I've done this the two folders have appeared again, same day as the previous two months. Has anyone run across this before?

There's a netsec thread starting in SH/SC that might be a good place to ask:

http://forums.somethingawful.com/showthread.php?threadid=3455244

I'd begin by hitting the site with every scanner you can think of, starting with something like nessus.

# ? Jan 23, 2012 15:39

Scaramouche: Mar 26, 2001; SPACE FACE! SPACE FACE!

Sorry for the delay guys, I was super sick over the weekend. To try and answer in order:

Geonetix:
The application running on the server is a simple php based wordpress/cms site, with some custom content pages. So that means there's a database too. I've already looked over the sql calls (there's not that many files/pages total) and there's nothing I can see from an injection standpoint. Attack surfaces are the php pages, wordpress, one email signup form, the cpanel management app, the ftp server.

Haywood Japwnme:
It wasn't re-imaged, but like I said this is a really small site (less than 200 files) and I was able to inspect just about everything manually. I'm also not 'officially' maintaining it or anything, a friend just asked me to take a look at it and see if I can figure out why this is happening.

Bob_Morales:
Thanks for the advice, I'll have to check that out as well.

To everyone, thanks for the input. I wasn't expecting you guys to magically solve the problem; my faint hope was someone would say 'hmm, flickr and blogger folders out of nowhere? that sounds like exploit (xyz) that you can fix by updating (abc)!'. E.g., the easy way.

# ? Jan 23, 2012 19:43

McGlockenshire: Dec 16, 2005; GOLLOCKS!

Scaramouche posted:

It wasn't re-imaged, but like I said this is a really small site (less than 200 files) and I was able to inspect just about everything manually. I'm also not 'officially' maintaining it or anything, a friend just asked me to take a look at it and see if I can figure out why this is happening.

Is this on shared hosting? (Given the cPanel mention...) If so, it's possible or even likely that the exploit is somewhere else on the machine.

# ? Jan 23, 2012 20:36

Tad Naff: Jul 8, 2004; _{I told you you'd be sorry buying an emoticon, but no, you were hung over. Well look at you now. It's not catching on at all!}

This might be too fiddly to bother with much longer, but I'm trying to call a binary CGI script from PHP and output the code, without involving Apache. Currently it works if I do:

php:

<?
readfile('http://localhost/cgi-bin/whatever.exe?param=foo')?>

but that generates a log hit and I was wondering if I could do something more efficient. I found virtual() but apparently that doesn't work under nginx, plus it smells like it's just using Apache anyhow. I'd like to pull off something like:

php:

<?
passthru('/path/to/cgi-bin/whatever.exe -param=foo')?>

but the CGI script doesn't seem to pull its parameters that way. I'm pretty much a total blank slate when it comes to CGI.

A possible hint, the app I'm hacking on has a bit of Perl code that looks like:

code:

my $cmd = '/path/to/cgi-bin/something.exe';
$ENV{'REQUEST_METHOD'} = 'GET';
$ENV{'QUERY_STRING'} = '';
my $out =  `$cmd`;

Which suggests to me that it should just be a matter of setting environment variables. However, neither $_ENV nor putenv() seem to have any effect.

EDIT:

Got it. Maybe not the cleanest or by-the-book, but it works:

php:

<?
  $params = "foo=bar&baz=quux";
  $cmd = "LD_LIBRARY_PATH=/usr/local/app/lib/:/usr/lib:/usr/local/lib REQUEST_METHOD=GET "
    ."QUERY_STRING=".escapeshellarg($params)
    .' '
    ."/usr/local/app/cgi-bin/whatever.exe";
  passthru($cmd);
?>

Tad Naff fucked around with this message at 23:14 on Jan 23, 2012

# ? Jan 23, 2012 21:00

Scaramouche: Mar 26, 2001; SPACE FACE! SPACE FACE!

McGlockenshire posted:

Is this on shared hosting? (Given the cPanel mention...) If so, it's possible or even likely that the exploit is somewhere else on the machine.

Yeah that's my next step, but would prefer to have a smoking gun of some kind before going to the hosts. But that'll basically be what happens if I eliminate most other possibilities.

# ? Jan 23, 2012 21:10

DarkLotus: Sep 30, 2001; Lithium Hosting
Personal, Reseller & VPS Hosting
30-day no risk Free Trial &
90-days Money Back Guarantee!

Scaramouche posted:

Yeah that's my next step, but would prefer to have a smoking gun of some kind before going to the hosts. But that'll basically be what happens if I eliminate most other possibilities.

The most common thing I see in a shared environment is either c99,r57 or SyRiAn Sh3ll shells. These are usually placed in a wp-theme cache directory of an unpatched wordpress install or if you're using a bad version of timthumb. On a properly configured system, those scripts won't allow a hacker to do any damage to the system or other users, but they can end up sending shitloads of spam from your account. It also allows a web based front end for your account allowing them to upload files, create directories and do just about anything you can do from command line or the cPanel file manager.

In the event the host you are on now doesn't have specific functions disabled in PHP, this attack could be coming from another account. Its also possible the server itself is compromised.

This is what I'd do in your situation. Login to cPanel, download a full account backup. Submit a ticket with your host and ask them to nuke your account and reprovision it. Then I'd create the databases from scratch, upload the sql backups via phpmyadmin or command line if you have it. Then install a fresh clean copy of wordpress and use the default theme for a couple of days. See if the files/folders come back. Don't upload any of your files you downloaded unless you have confirmed they are legit and don't have anything malicious in them.

DarkLotus fucked around with this message at 22:03 on Jan 23, 2012

# ? Jan 23, 2012 21:50

Innocent Bystander: May 8, 2007; Born in the LOLbarn.

Anybody here use RedBean for their ORM? I love it, its awesome, simple. Its super lightweight and doesn't have the query functions I'm used to from Django, but drat, for a drop-in replacement, RedBean is near impossible to beat.

# ? Jan 24, 2012 07:54

revmoo: May 25, 2006; #basta

Does anybody know where to find docs about the ExpressionEngine super object? Having trouble finding information.

# ? Jan 27, 2012 03:39

klem_johansen: Jul 11, 2002; [be my e-friend]

I'm processing employment applications for a client and we're allowing applicants to attach their resumes (pdf/doc/docx files). For the sake of simplicity, I'm storing the documents as blob elements in the database and storing the file type in the db so that it can be downloaded later on using the header function. When I test the system it seems to work fine for all the allowed formats.

However, a few people have uploaded files (only doc,docx or pdf extensions are allowed) the file type comes through as "application/octet-stream" and those won't open when I download them. I can't tell if the problem is in the upload function or if I'm doing something wrong on the download side. I can't seem to recreate the problem, either. Any ideas?

# ? Jan 27, 2012 23:39

mewse: May 2, 2006

klem_johansen posted:

I'm processing employment applications for a client and we're allowing applicants to attach their resumes (pdf/doc/docx files). For the sake of simplicity, I'm storing the documents as blob elements in the database and storing the file type in the db so that it can be downloaded later on using the header function. When I test the system it seems to work fine for all the allowed formats.

However, a few people have uploaded files (only doc,docx or pdf extensions are allowed) the file type comes through as "application/octet-stream" and those won't open when I download them. I can't tell if the problem is in the upload function or if I'm doing something wrong on the download side. I can't seem to recreate the problem, either. Any ideas?

you might have to build the headers yourself and send out one of the following (pdf, doc, docx respectively):

application/pdf application/msword application/vnd.openxmlformats-officedocument.wordprocessingml.document

http://en.wikipedia.org/wiki/Internet_media_type

e: i have no idea if i read your question correctly. it sounds like some peoples browsers are uploading the files with a dumb media type and you should choose the correct media type based on the file extension rather than what their dumb browser told you

# ? Jan 27, 2012 23:43

klem_johansen: Jul 11, 2002; [be my e-friend]

mewse posted:

you might have to build the headers yourself and send out one of the following (pdf, doc, docx respectively):

application/pdf application/msword application/vnd.openxmlformats-officedocument.wordprocessingml.document

http://en.wikipedia.org/wiki/Internet_media_type

e: i have no idea if i read your question correctly. it sounds like some peoples browsers are uploading the files with a dumb media type and you should choose the correct media type based on the file extension rather than what their dumb browser told you

The upload code grabs the content-type header from the original file and stores it in the DB and then just recreates it on the way back.

Could it be that the browser is reporting the file as octet-stream because there IS no extension? That's something I have not tried yet.

# ? Jan 27, 2012 23:56

Tad Naff: Jul 8, 2004; _{I told you you'd be sorry buying an emoticon, but no, you were hung over. Well look at you now. It's not catching on at all!}

klem_johansen posted:

The upload code grabs the content-type header from the original file and stores it in the DB and then just recreates it on the way back.

Could it be that the browser is reporting the file as octet-stream because there IS no extension? That's something I have not tried yet.

Shame that it's in a DB, otherwise you could just use mime_content_type() on the file and it wouldn't matter what extension it had. Probably the best thing would be to run mime_content_type() on the temp uploaded file and use that value to insert in the database, rather than what the client says.

# ? Jan 28, 2012 00:14

mewse: May 2, 2006

yeeeahh.. Don't Trust The Client

# ? Jan 28, 2012 00:28

klem_johansen: Jul 11, 2002; [be my e-friend]

I think the problem may have been that I was inadvertently escaping the file contents. I added an exception handler to un-escape the handful of files that were uploaded before the fix and now everything seems fine. As an extra measure, though, I'm storing them as flat files in a secure directory and also in the db, so if something does get corrupted I have a fallback.

Now I will sleep.

# ? Jan 28, 2012 05:50

Oxford Comma: Jun 26, 2011; Oxford Comma: Hey guys I want a cool big dog to show off! I want it to be ~special~ like Thor but more couch potato-like because I got babbies in the house!
Everybody: GET A LAB.
Oxford Comma: OK! (gets a a pit/catahoula mix)

If I have a bunch of variables in an include file, is there a way to access those variables directly from within another function? Something like this:

code:


//vars.php
<?php $x="Hi";?>

//index.php
<?php include("vars.php);
    function myFunction()
    {
          echo "The value of x is: $x";
    }
?>

This won't work since $x is outside the scope of myFunction() and I have to pass it in as an arguement.

This is probably very obvious but today is my first day with PHP so...yeah.

# ? Jan 29, 2012 20:28

mooky: Jan 14, 2012

Oxford Comma posted:

If I have a bunch of variables in an include file, is there a way to access those variables directly from within another function? Something like this:
code:
//vars.php
<?php $x="Hi";?>

//index.php
<?php include("vars.php);
    function myFunction()
    {
          echo "The value of x is: $x";
    }
?>
This won't work since $x is outside the scope of myFunction() and I have to pass it in as an arguement.

This is probably very obvious but today is my first day with PHP so...yeah.

Try this:

code:

//vars.php
<?php $x="Hi";?>

//index.php
<?php include("vars.php);
    function myFunction()
    {
          global $x;
          // or
          $x = $GLOBALS['x'];
          echo "The value of x is: $x";
    }
?>

http://us2.php.net/manual/en/reserved.variables.globals.php
http://us3.php.net/manual/en/language.variables.scope.php

# ? Jan 29, 2012 21:19

Hammerite: Mar 9, 2007; And you don't remember what I said here, either, but it was pompous and stupid.; Jade Ear Joe

If $x is a variable that is supposed to modify the behaviour of the function, then it is generally considered proper to pass it as a parameter to the function, as in the following code.

code:

    function myFunction($x)
    {
          echo "The value of x is: $x";
    }

Now when you call myFunction() you need to call it as myFunction($x). One reason why this approach is generally considered better than using globals is that when someone wants to work out what the function does they don't have to hunt for where $x is defined and what it is.

Another possibility, if $x is something that will be defined once and then won't change (and provided it's a scalar value, i.e. not an object nor an array) is that you can define it as a constant. If you do that, then you do not need to declare it global.

code:

// vars.php
define('X', 'Hi');

//index.php
    function myFunction()
    {
          echo "The value of X is: ".X;
    }

(It is conventional to give constants names that consist of capital letters.)

# ? Jan 29, 2012 22:18

McGlockenshire: Dec 16, 2005; GOLLOCKS!

Token cautionary point:

Global variables are brittle little horrors that will pile up and make your application unmaintainable. The more information you keep in the global scope, the harder it's going to be to refactor things into any semblance of sanity.

The same goes for Singletons and sometimes the Registry pattern. There's usually a better way to deal with the problem.

# ? Jan 30, 2012 04:02

keep it down up there!: Jun 22, 2006; How's it goin' eh?

Not so much a coding question here, but I was hoping to get some opinions.

Right now I run a website that has it's own authentication system in CodeIgniter. It's come time I feel I need some forums. Rolling my own forums seems silly with such great software already out there, bug tested, and feature filled. However I don't want to burden my users with multiple sign ons.

So after Googling the only real solution I've come across is Vanilla forums.

http://vanillaforums.org

Has anyone here ever used it? Is it recommended or terrible? They have a paid hosted solution so I imagine it must be decent.

I'm specifically interested because it has a premade single sign on module that should integrate well with my current setup. You can read about that here
http://vanillaforums.org/docs/singlesignon

Any other ideas are also welcome. I'm not interested in vbulletin as it's drat pricey for a site I make no profit off of.

# ? Jan 30, 2012 17:22

Impotence: Nov 8, 2010; Lipstick Apathy

vB is horrible crap, if you're going to pay for something use IPB.

# ? Jan 30, 2012 17:27

keep it down up there!: Jun 22, 2006; How's it goin' eh?

I'm really not interested in paying for anything as of yet. The small ad revenue on my site barely covers the costs.

I only mentioned VB is it is well known and has the functionality I described. A free solution would be ideal.

# ? Jan 30, 2012 17:45

McGlockenshire: Dec 16, 2005; GOLLOCKS!

Vanilla and phpBB are pretty much your only options that are both free and Free and worth the time and effort. Be warned that Vanilla is a very non-standard experience for new users, but be warned that phpBB's code sucks.

# ? Jan 31, 2012 07:30

Optimus Prime Ribs: Jul 25, 2007

Biowarfare posted:

vB is horrible crap, if you're going to pay for something use IPB.

Isn't IPB just as lovely?
I haven't used it since back when it was free, so they may have improved it. But it was pretty awful back then.

# ? Jan 31, 2012 20:20

Impotence: Nov 8, 2010; Lipstick Apathy

Optimus Prime Ribs posted:

Isn't IPB just as lovely?
I haven't used it since back when it was free, so they may have improved it. But it was pretty awful back then.

IP.Board the paid product is nothing like the free version (the one that looked like crap using tables, looked cyan/lightblue and in use at invisionfree).

# ? Jan 31, 2012 20:29

Acer Pilot: Feb 17, 2007; put the 'the' in therapist

Optimus Prime Ribs posted:

Isn't IPB just as lovely?
I haven't used it since back when it was free, so they may have improved it. But it was pretty awful back then.

IPB is pretty great actually. I've been using it for a few years now and it hasn't failed me. The new spam monitoring stuff is pretty handy and the forums, overall, are very sleek.

# ? Feb 2, 2012 00:45

indulgenthipster: Mar 16, 2004; Make that a pour over

Just want to share one of the best (and easiest to use) classes for password security I've found: https://github.com/tom--/Randomness

It's built to be used for the Yii Framework, but you can easily modify it to work in any application.

quote:

There are many tutorials and examples that show storage of passwords in a table.
Often the methods used are substandard and very easy to crack. For example, the
"Agile Yii" book's example stores md5($password) in the DB and calls it
"encryption". It is not. "The Definitive Guide to Yii" is a little better in
that it uses a salt but it still uses md5 and is easy to crack.

You cannot rely on a user to use a (practically) unguessable password or to not
use that password in systems other than yours. And you should not assume that
your server is so secure that an attacker cannot get hold of the password file.

So you use a salt to ensure that the hash is unlikely to appear in any
dictionary or rainbow. But this is not enough. First, the salt has to be really
random. Second, the hash function needs to be slow to calculate (computationally
expensive, as the techies say).

Frist problem: a common mistake is to generate salts with mt_rand() or similar.
That's no use because mt_rand is a simple pseudo-random number gnerator designed
for use in Monte Carlo simulations, not in security systems. It is not
cryptographically secure (not a CSPRNG). You can determine the next random
number from previous ones or from knowing the internal state of the generator.

Randomness uses the operating system's CSPRNG if it can. If it can't, it logs
a warning and falls back to something less secure. In the case that neither
openssl_random_pseudo_bytes() nor /dev/random work it falls back on its own
own stupid tricks to shuffle things up (read the code).

In most decent production environments, be it Windows, Unix or Linux, Randomness
will return a good, CS random value and not use any hackery. But test it out to
see how it works for you by checking your logs (Yii logs, not PHP error log).

The second problem is fast hashes. MD5, for example, is very fast. As of Nov
2011 you can check 350 million keys per second on a commodity nVidia processor.
So no matter what you do with salts, the combination of short passwords and fast
brute force checking means your system is open to intruders if you rely on a
non-iterated message digest such as md5, SHA and the rest.

Blowfish is currently considered pretty good. It is designed to be slow. The
implementation in PHP's crypt() is easy to use. Set a cost parameter high enough
to make a brute force attack really slow. I set it so that it takes about 250 ms
on the production server (a completely arbitrary choice:-).

# ? Feb 6, 2012 18:10

musclecoder: Oct 23, 2006; I'm all about meeting girls. I'm all about meeting guys.

Here's a slightly older bcrypt PHP class that works with any framework:

http://www.openwall.com/phpass/

# ? Feb 6, 2012 18:24

Adbot: ADBOT LOVES YOU

# ? Jun 6, 2024 19:41

McGlockenshire: Dec 16, 2005; GOLLOCKS!

Make sure you've turned off compat mode in phpass, otherwise you get something objectively inferior to Blowfish. If you have nothing that can provide Blowfish, then something that implements PBKDF2 is going to be a better bet. I'm a fan of CryptLib, as it also can interpret passwords generated by many other popular hashing schemes.

McGlockenshire fucked around with this message at 19:45 on Feb 6, 2012

# ? Feb 6, 2012 19:42

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > <?PHP questions that don\\'t need their own thread ?>

«‹›223 »