Forwarded: PHP encryption for the common man

[michaelslists at gmail.com (mikeiscool)]

On 7/26/06, Kenneth Van Wyk <Ken at krvw.com> wrote:
> FYI, I saw an interesting article today on IBM's web site detailing how to
> (and how NOT to) use encryption within PHP code.  Those interested can find
> the article at:
>
> http://www-128.ibm.com/developerworks/library/os-php-encrypt/index.html?ca=drs-

This doesn't seem like a _great_ article, for the 'common man', as it
involves, at least in the last step, executing a binary with propsed
input from the user (i.e. a username, or something) as command line
parameters. It validates one (the 'msg' from the form), but not the
others that may be adjusted to accept input as well.

Not only is the binary ran, but it would imply that the script as
executable permissions on at least that file, if not the entire
directory, or even entire system. All of which are bad.

It also recommends to use md5, which is totally broken as a secure
hashing function and should not be used at all.


> Cheers,
>
> Ken

-- mic