-
May 19th, 2002, 01:03 PM
#1
Junior Member
PHP Encryption
I am using php to produce an online game at http://www.ageofcaves.com/ and i need a way of encrypting the users password within the URL. Can somebody outline how i would go about this?
Cheers,
Bingham
-
May 19th, 2002, 01:54 PM
#2
Try using the crypt() function. I'm new to PHP as well, but I think it goes crypt(string,salt). The cool thing about it, is that it is altered-DES encryption (aka. Unix encryption)
-
June 21st, 2002, 10:56 AM
#3
Junior Member
how can he or me ;-) check if the passwd is valid ...
Is there any way of doing it ?!
I heard about a function of name salt() but i did not find any reference to it in php.net or phpbuilder.com
Went to hell and back , all in black and
white . welcome to bash....
-
July 1st, 2002, 12:49 PM
#4
Junior Member
Depends very much on what level of security you want to accomplish.
A simple way is to put it through md5() - this produces 32 randomly looking
characters. When you read this off the URL, you can take the password in your
DB, md5() it once more, and compare the two.
One problem is that this md5() value never changes, so if anyone intercepts it,
they may be able to use it for some bad purpose.
Actually I'm wondering why you need the password on the URL. Can't you just
use ordinary session handling, just like any other "login script".
If you really need it, we must add some randomness to the md5() value. Try telling
us more details of what you want done.
-
July 1st, 2002, 07:58 PM
#5
Ugh, old old old old post.
erikjacobsen > That was his first and last post so I doubt he's going to see your reply
-
July 2nd, 2002, 09:46 PM
#6
One problem is that this md5() value never changes, so if anyone intercepts it,
they may be able to use it for some bad purpose.
How is this different from if it changes?
If someone can intercept the value, they can impersonate the user. If they're quick enough, they can get it even if it changes. It makes no difference in principle.
Use SSL and it is harder to intercept either way
-
July 2nd, 2002, 09:57 PM
#7
Junior Member
In the short run you can add a check for a cookie, or check for the same IP-number.
But who knows what smyn31337 actually wants to use it for?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|