Secure Coding mailing list archives
RE: Scripting Languages and Secure Coding + code
From: "Dave Paris" <dparis () w3works com>
Date: Sun, 07 Dec 2003 17:42:09 +0000
Regarding the use of MD5... I'd recommend SHA1 for a couple reasons: a) there are known "bad" data that can result in weak MD5 digests. There are a number of cryptanalysts that have doubts about MD5 in the first place. Google can provide these references - I'm strapped for time at the moment. b) better collision resistance. (128bit for MD5 vs. 160bit for SHA1) c) there's no appreciable speed loss between MD5 and SHA1. Additionally, rather than using the hex output, you might want to use Base64 - you'll save a few bytes. Of course, this assumes PHP has an SHA1 function. As a non-user of PHP, I can't speak from authority here. If you're really interested in securiting it, use a Message Authentication Check (MAC) to "key" the digest. Again, the caveats to PHP's actual functional stands. Kind Regards, -dsp [Ed. Request to _all_ -- please keep your quoted text (from the messages that you respond to) to a bare minimum. This will be particularly important once the SC-L-DIGEST is in place... Thanks. KRvW] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul R. C. Ming Sent: Thursday, December 04, 2003 5:57 PM To: [EMAIL PROTECTED] Subject: Re: [SC-L] Scripting Languages and Secure Coding + code
I know this is not what You asked, but i'm no secure coding guru. It just occurred to me that this code: | $username=stripslashes(trim($_POST['username'])); | $password=stripslashes(trim($_POST['password'])); would disallow a user from having slashes (and possibly other characters - -- i don't know PHP and the stripslashes() command) in their passwords (and usernames, but i think they can live with that)
In general, it's better to check that input is valid, rather than trying to check for invalid input or trying to sanitize the input. For this case, you would want to check that the username contains only valid characters (e.g. letters and digits). Match the username against a regular expression, such as ^[A-Za-z][A-Za-z0-9]{0,31}$. If it matches, it's okay, otherwise, tell the user it's not a valid username and what makes a valid username.
... Going on the assumption that PHP does not use \0 to indicate the end of a string (as i said, i don't know PHP), the only thing You do with the password field directly is check that it is not empty, then put it through MD5. I think MD5 is sanitation enough. What do others say? (This would also give You a really tiny speed improvement. :) ).
I believe that running the password through MD5 is enough, because PHP's md5(string)'s output is going to be a 32 character hexadecimal string. (Just don't use the md5()'s raw option...) On another note, I'd bet it'd be a good habit to use the mysql_escape_string()/mysql_real_escape_string() functions whenever creating SQL query strings. The PHP manual says that they don't escape % or _. I don't know SQL that well, so what implications does that have? -- Paul Ming [EMAIL PROTECTED]
Current thread:
- Re: Scripting Languages and Secure Coding M. Buchzik (Dec 03)
- Re: Scripting Languages and Secure Coding Timo Sirainen (Dec 03)
- Re: Scripting Languages and Secure Coding Martin Stricker (Dec 03)
- Re: Scripting Languages and Secure Coding + code Ghita Serban (Dec 04)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 04)
- Re: Scripting Languages and Secure Coding + code Andrew Rucker Jones (Dec 04)
- Re: Scripting Languages and Secure Coding + code Paul R. C. Ming (Dec 04)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 05)
- RE: Scripting Languages and Secure Coding + code Dave Paris (Dec 07)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code ck (Dec 08)
- Re: Scripting Languages and Secure Coding + code David M. Wilson (Dec 09)
- Re: Scripting Languages and Secure Coding + code Carsten Kuckuk (Dec 09)
- Re: Scripting Languages and Secure Coding + code David A. Wheeler (Dec 04)
- Re: Scripting Languages and Secure Coding + code securecodingorg (Dec 04)
- Re: Scripting Languages and Secure Coding + code Jeremy Thibeaux (Dec 04)