On Wed, Aug 3, 2011 at 4:05 PM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx>wrote: > ** > On Wed, 2011-08-03 at 15:35 -0400, Alex Nikitin wrote: > > On Wed, Aug 3, 2011 at 3:08 PM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx>wrote: > > > ** > > On Wed, 2011-08-03 at 22:02 +0300, Andre Polykanine wrote: > > > > Hello Alex, > > > > Thanks for the tip. I'm not storing it in the database (you see, it's "asdfasdf" and the key string is "secret key"), I'm just studying mcrypt's possibilities :-). > > > > -- > > With best regards from Ukraine, > > Andre > > Skype: Francophile > > My blog: http://oire.org/menelion (mostly in Russian) > > Twitter: http://twitter.com/m_elensule > > Facebook: http://facebook.com/menelion > > > > ------------ Original message ------------ > > From: Alex Nikitin <niksoft@xxxxxxxxx> > > To: Andre Polykanine > > Date created: , 9:27:42 PM > > Subject: Studying mcrypt > > > > > > Yes, since it's trying to represent in characters some purely binary data, > > it is not unlikely that you will get VERY weird characters (and you do). > > > > Also you shouldn't actually encrypt passwords, the proper way to store them > > is hashed, so that if someone grabs your database, they dont have your > > passwords, even if they have the "key". > > > > Best way to check is to decrypt it and verify... > > > > -- > > The trouble with programmers is that you can never tell what a programmer is > > doing until it’s too late. ~Seymour Cray > > > > > > > > On Wed, Aug 3, 2011 at 12:40 PM, Andre Polykanine <andre@xxxxxxxx> wrote: > > > > > Hello Php, > > > > > > It's my first time I use mcrypt. > > > I've done everything like it's written in the php manuals, here is the > > > code: > > > > > > <?php > > > $d=mcrypt_module_open("rijndael-256", "", "ofb", ""); > > > $iv=mcrypt_create_iv(mcrypt_enc_get_iv_size($d), MCRYPT_DEV_RANDOM); > > > $ks=mcrypt_enc_get_key_size($d); > > > $key=substr(md5("Secret key"), 0, $ks); > > > mcrypt_generic_init($d, $key, $iv); > > > $cpass=mcrypt_generic($d, $_POST['opass']); > > > mcrypt_generic_deinit($d); > > > mcrypt_module_close($d); > > > ?> > > > > > > And here's what I get: > > > Original password: asdfasdfasdf > > > Encrypted password: Q� j�����* > > > > > > Question: Is it normal to have such strange characters in the encrypted > > > string? > > > I'm hosted at http://godaddy.com/, shared hosting, if it does matter. > > > Thanks! > > > > > > -- > > > With best regards from Ukraine, > > > Andre > > > Skype: Francophile > > > Twitter: http://twitter.com/m_elensule > > > Facebook: http://facebook.com/menelion > > > > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > > > > > > > Please don't top-post :) > > > > You can use base64_encode() on it to convert it into something that's > > printable and storable in the DB without having to resort to a binary blob > > > > > > -- > > Thanks, > > Ash > > http://www.ashleysheridan.co.uk > > > > > > > Isn't that a bit counterproductive though, storing it in binary? > > Purely storage-related: > Say we are storing a 128byte result of encryption. > Storing it in a varbin would mean that you would use up 128+1 bytes of > storage, where as if you were to base64 encode it, data length would be 170 > or so bytes, +1byte or 171bytes... 42 bytes difference... > > > This was a crypto class i wrote for something, i cant even recall exactly > what project it was for, it is making it's way into the framework, but for > now, i've changed it to be "normal" again > > Hopefully it should be pretty straight forward: > http://pastebin.com/TFn468dM > > -- > The trouble with programmers is that you can never tell what a programmer is > doing until it’s too late. ~Seymour Cray > > > The beauty of encoding something into base64 is that you can then easily > move that data around to systems that can't handle binary. You can pass a > base64 image down to the browser to display, without requiring a second > script to create the image used in the <img> tag. Javascript can manipulate > base64 data making it an alternative to json where json won't work. Command > line environments won't be able to deal with binary arguments, but base64 is > fine. It all depends on what you want to do with it at the end of the day. > > -- > Thanks, > Ash > http://www.ashleysheridan.co.uk > > > That's why i prefaced it with "purely storage-related". base64 is awesome, i use it as a hack to get around xss and sql injection, it works beautifully :) -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
