----- Original Message -----
From: "Tim" <user@xxxxxxxxxxxxx>
-----Message d'origine-----
De : Haydar Tuna [mailto:haydartuna@xxxxxxxxxx]
Envoyé : mardi 20 février 2007 10:34
À : php-general@xxxxxxxxxxxxx
Objet : Re: Securing user table with sha function
Hello again,
if you crypt your usernames, it happened many problems.
As you know, if you crypt any string to SHA1, you don't
decrypt again. You cannot use username in your application.
in my many application, I have crpyted password , I haven't
cryrpt usernames. Becuase I used username for session
authentication. for example if I want to action on the
usernames or list of usernames , what can I do this? All of
usernames are crypted.
OK then what if i consider using PHP's Mcrypt extension with a key to
crypt/decrypt data, this would give me the possiblity to use a username
crypted hash in the session variable and decrypt it at any moment with the
proper key?
One aproach I have often seen to security is making things complicated,
assuming that it will deter intrussion. Complicating things, though, rarely
achieves anything useful. Being paranoid about some data you might be
complicating your own work and that of those who will have to mantain and
upgrade the application afterwards for very little gain. There are good and
proven ways to secure an application. If you rarely see anyone going beyond
those basic rules it is because the pay off is marginal in terms of security
but too complicated in terms of mantainability. Take the user name you are
so concerned about. Are you subscribed to eBay and get their newsletter?
They send you their mailings with your username in clear to let you know it
is indeed from them. eBay runs one of the most secure open sites in the
world, and they don't mind sending your login name in the clear, and nor do
I so, why should you? Just complicating things don't make a site more
secure, it just complicates it.
Satyam
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
