PHP Encryption
Results 1 to 7 of 7

Thread: PHP Encryption

  1. #1
    Junior Member
    Join Date
    May 2002
    Posts
    1

    PHP Encryption

    I am using php to produce an online game at http://www.ageofcaves.com/ and i need a way of encrypting the users password within the URL. Can somebody outline how i would go about this?

    Cheers,

    Bingham

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    735
    Try using the crypt() function. I'm new to PHP as well, but I think it goes crypt(string,salt). The cool thing about it, is that it is altered-DES encryption (aka. Unix encryption)

  3. #3
    Junior Member
    Join Date
    Nov 2001
    Posts
    1
    how can he or me ;-) check if the passwd is valid ...
    Is there any way of doing it ?!
    I heard about a function of name salt() but i did not find any reference to it in php.net or phpbuilder.com
    Went to hell and back , all in black and
    white . welcome to bash....

  4. #4
    Junior Member
    Join Date
    Jul 2002
    Posts
    11
    Depends very much on what level of security you want to accomplish.

    A simple way is to put it through md5() - this produces 32 randomly looking
    characters. When you read this off the URL, you can take the password in your
    DB, md5() it once more, and compare the two.

    One problem is that this md5() value never changes, so if anyone intercepts it,
    they may be able to use it for some bad purpose.

    Actually I'm wondering why you need the password on the URL. Can't you just
    use ordinary session handling, just like any other "login script".

    If you really need it, we must add some randomness to the md5() value. Try telling
    us more details of what you want done.

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    735
    Ugh, old old old old post.

    erikjacobsen > That was his first and last post so I doubt he's going to see your reply

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    One problem is that this md5() value never changes, so if anyone intercepts it,
    they may be able to use it for some bad purpose.
    How is this different from if it changes?

    If someone can intercept the value, they can impersonate the user. If they're quick enough, they can get it even if it changes. It makes no difference in principle.

    Use SSL and it is harder to intercept either way

  7. #7
    Junior Member
    Join Date
    Jul 2002
    Posts
    11
    In the short run you can add a check for a cookie, or check for the same IP-number.

    But who knows what smyn31337 actually wants to use it for?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •