Secure Coding mailing list archives
Forwarded: PHP encryption for the common man
From: michaelslists at gmail.com (mikeiscool)
Date: Wed, 26 Jul 2006 09:14:10 +1000
On 7/26/06, Kenneth Van Wyk <Ken at krvw.com> wrote:
FYI, I saw an interesting article today on IBM's web site detailing how to (and how NOT to) use encryption within PHP code. Those interested can find the article at: http://www-128.ibm.com/developerworks/library/os-php-encrypt/index.html?ca=drs-
This doesn't seem like a _great_ article, for the 'common man', as it involves, at least in the last step, executing a binary with propsed input from the user (i.e. a username, or something) as command line parameters. It validates one (the 'msg' from the form), but not the others that may be adjusted to accept input as well. Not only is the binary ran, but it would imply that the script as executable permissions on at least that file, if not the entire directory, or even entire system. All of which are bad. It also recommends to use md5, which is totally broken as a secure hashing function and should not be used at all.
Cheers, Ken
-- mic
Current thread:
- Forwarded: PHP encryption for the common man Kenneth Van Wyk (Jul 25)
- Forwarded: PHP encryption for the common man mikeiscool (Jul 25)