Привет!
Martin Clifford wrote:
> Firstly, you should ALWAYS use an encryption algorithm for passwords.
> For my site, I used md5() and match with that.
> That way, even if someone does get a hold of the encrypted password,
it's not in their best interest
> (or maybe it is, if they're bored) to crack it.
NO need for decryption. I can just present it "as is" and your soft's
gonna drink it (and may burp afterwards) :)
> Putting that at the top of the page would check to see if any
> information was sent to the page from the $_GET superglobal, and if it
> was, reload the page without any URL extensions.
Using Register globals off would do the same without any code add-on.
And it *does* work, as many a user lately found out, in anguish for
his/her vanished parameters/sessions/cookies/umbrellas and girlfriends
:) Yet it cannot block your MD5 stuff from being presented back to you
on the right channel (not so difficult to guess, it's three channels in
all).
If you don't hold CC numbers, military stuff, bank transactions or mafia
secrets I can hardly see any need for paranoia (in case you do MD5ing is
a *poor* solution). Having your CC processed by a secure third party
will cost you much less than implementing a 90% secure system from
scratch. When you have nothing to hide you also have nothing to fear :)
Think about it. Most users exchange their user/passwords in emails.
"Hey! Wanna see what discount prices I got from that site, dude? Look,
user Mickey pass MOuse (capital O, mind you, I love security, ya know).
And don't tell anyone, okay?"
Users do it all the time. And sites, too. How many automated mails
containing right the passwords you are trying to protect you'll be
forced to send along the net for the sake of "customer satisfaction"?
Most of those "forgot your password? Tell us what email you gave us,
we'll do the rest!" will be received on public email servers, because
nobody in his mind would send a commercial site his real email (I
canceled my first yahoo account when I was already receiving some 50
commercials a day, mostly about penis enlargement and marijuana
replacers). Those emails will remain on the account for ages, just in
case the user forgot the pass again.
Would you rate yahoo as a "secure" site? Any time I walk into a computer
club while I'm on vacation I end up into somebody else's yahoo/ICQ or
whatever account... I am usually trying to log out from the session that
was left open. Maybe because I am too stupid to understand yahoo's
security policy LOL
That was just for the sake of throwing my 2 kopeki in before going to
sleep (we are in no euro/dollar/sterling area either :)
Пока
Альберто
Киев
@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@
LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is.......
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
