RE: Scripting Languages and Secure Coding + code

["Dave Paris" <dparis () w3works com>]

Regarding the use of MD5...

I'd recommend SHA1 for a couple reasons:
a) there are known "bad" data that can result in weak MD5 digests.  There
are a number of cryptanalysts that have doubts about MD5 in the first place.
Google can provide these references - I'm strapped for time at the moment.
b) better collision resistance. (128bit for MD5 vs. 160bit for SHA1)
c) there's no appreciable speed loss between MD5 and SHA1.

Additionally, rather than using the hex output, you might want to use
Base64 - you'll save a few bytes.

Of course, this assumes PHP has an SHA1 function.  As a non-user of PHP, I
can't speak from authority here.  If you're really interested in securiting
it, use a Message Authentication Check (MAC) to "key" the digest.  Again,
the caveats to PHP's actual functional stands.

Kind Regards,
-dsp

[Ed. Request to _all_ -- please keep your quoted text (from the messages 
that you respond to) to a bare minimum.  This will be particularly 
important once the SC-L-DIGEST is in place...  Thanks.  KRvW]

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Paul R. C. Ming
Sent: Thursday, December 04, 2003 5:57 PM
To: [EMAIL PROTECTED]
Subject: Re: [SC-L] Scripting Languages and Secure Coding + code


> I know this is not what You asked, but i'm no secure coding guru. It
> just occurred to me that this code:
>
> | $username=stripslashes(trim($_POST['username']));
> | $password=stripslashes(trim($_POST['password']));
>
> would disallow a user from having slashes (and possibly other characters
> - -- i don't know PHP and the stripslashes() command) in their passwords
> (and usernames, but i think they can live with that)

In general, it's better to check that input is valid, rather than trying
to check for invalid input or trying to sanitize the input.  For this
case, you would want to check that the username contains only valid
characters (e.g. letters and digits).  Match the username against a
regular expression, such as ^[A-Za-z][A-Za-z0-9]{0,31}$.  If it matches,
it's okay, otherwise, tell the user it's not a valid username and what
makes a valid username.

> ...
> Going on the assumption that
> PHP does not use \0 to indicate the end of a string (as i said, i don't
> know PHP), the only thing You do with the password field directly is
> check that it is not empty, then put it through MD5. I think MD5 is
> sanitation enough. What do others say? (This would also give You a
> really tiny speed improvement. :) ).

I believe that running the password through MD5 is enough, because PHP's
md5(string)'s output is going to be a 32 character hexadecimal string.
(Just don't use the md5()'s raw option...)

On another note, I'd bet it'd be a good habit to use the
mysql_escape_string()/mysql_real_escape_string() functions whenever
creating SQL query strings.  The PHP manual says that they don't escape
% or _.  I don't know SQL that well, so what implications does that
have?

--
Paul Ming
[EMAIL PROTECTED]