I want to hash some data from the user what i want to know is:
1) Should i filter before or after the hashing
2) How do i hash
3) should i use different hash's for "sessions" and "cookies"
CSS Codes
New Comer (less than 5 posts)
How do i hash , and what is safe to filter out of the hash
I want to hash some data from the user what i want to know is:
1) Should i filter before or after the hashing
2) How do i hash
3) should i use different hash's for "sessions" and "cookies"
Global Moderator
Your questions aren't entirely clear. You may need to post more information, or maybe you just need to read more about the idea of hashing before you can ask specific questions.
Here's a place to start:
http://en.wikipedia.org/wiki/Hash_function
MD5 and SHA1 are pretty standard, with MD5 being a little older and slightly "weaker" in the sense that there are some databases out there with lists of input/output pairs that could potentially make hacking easier.
A hash function takes an input (often of a text string or a file) and converts it to a consistent output. However, this function is one-way-- there's no way to "unhash" or "decrypt" the result. It doesn't contain the information. Instead, it just logically relates to it-- any time you take X and hash it, you will receive Y. But you cannot find X from Y.
When someone logs in, you get their raw password, find the hash, then you compare that hash to the hashed password already stored in the database. If hash=hash, then you know that input=input.
1) What do you mean by "filter"? I don't see why. I suppose you could convert all input to lowercase if you wanted to not have case-sensitive passwords, or something like that. I don't suggest it, though. Whatever input you get, put it directly in the hash function and go from there. (I suppose you might want to be certain it's valid-- make sure it's a string and so forth to avoid any errors, but otherwise you don't need to change the content of a valid input.)
There is something called "salt", or "salting". This is where you add some extra value to the beginning or end of the input (as you would add salt to food). This adds extra security-- the process then generates a different hash than would come from the raw input, and that means you can't guess what the pairs might be, and (probably, more likely) no database (as exists for MD5) will contain those pairs.
Salt must be consistent (if it changes, the hashes won't match) so it's usually done one of three ways:
1) A consistent 'salt' string for the whole website. A little lazy, a little less secure, but basically will function. Maybe as "xyz" to the end of all input.
2) Add the username to the password before hashing. Or something else like a username-- email maybe. Almost as secure as (3).
3) When the user creates the account (or changes the password?) generate a random string and store that in the database as salt for that user-- most secure, a little more work.
Also, another very simple (but effective) method is to hash multiple times-- use hash(hash(string)) rather than just hash(string) and you will get a couple levels of change so you're not sure what the original input was.
...but again, most of this is potentially excessive if your system is secure in other ways.
2) You asked in the PHP forum, so the answer is md5() or sha1(), and there's plenty of information available on php.net for those. There are also some other algorithms if you want to look for them, but those are definitely the most common. And those same algorithms are available in many other languages also, if that becomes relevant for you.
3) If you want to compare the same information, you must use the same hash function and the same input and the same stored hashed values. If you want to compare two different kinds of unrelated information, you can of course use different processes. But I don't think this is necessary. It wouldn't hurt (just like salt) though so maybe you could add different salt in the process there, if you want.
Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
New Comer (less than 5 posts)
Well this is what i want to do and why i need to know how to do it:
!) "Should i filter before or after the hashing"
if i use base_64 to encode it some times gives me a "=" sign
but my cookies will not take that it will turn it in %20 or w/e
so i can filter "=" b/c it turns it into %20
2) what do i use to hash sessions and then what do i use to hash cookies
3) i need to know what type of hash to use for what
Global Moderator
1) That's not hashing. base_64 is easily reversible, so it's not secure, and I wouldn't recommend it. If you use a hash algorithm, it will give you a standard set of characters regardless of input (as I said, even a file), so that's not a problem. (Hashes are usually hexadecimal, meaning 16 digits, from 0-9,A-F, similar to HTML color codes if you're familiar with that.) The length is also constant, though varies by algorithm-- md5 is 32 characters, sha1 is 40 (I think), etc.
So if you are NOT hashing, then you should worry about what characters you have. If you ARE hashing, then you do not need to worry.
2) Look up a tutorial on this. I've already explained a lot in my last post, and that is just the basics of how to do it. It's not a one step process and you don't "hash sessions". You would hash the password that allows access to the sessions. In short, store a hashed password instead of the real password; then compare the hashed input to see if it's right. That means you don't need to store the raw password in the database-- that's all it does.
(Alternatively, hashing can be used, especially for files, to compare whether two things are similar. This method can also be called a "checksum" so that you know if two files, eg a download and a known file, are equivalent, without directly comparing both files. So you could in theory use this method to compare two sessions (ALL of the data in the sessions), but I don't know why you'd want to do this. If you want to, explain why so we know how to help.)
3) There aren't really types. You just need an algorithm. md5() or sha1() will be fine.
To be completely direct (and this is meant to be helpful, I promise) your posts show a fundamental lack of understanding of what hashing is, what it can do, and how it should be used. You should read the wikipedia article, look at example login/password scripts, and look for a hashing tutorial. It's not a simple concept and because it has to do with security it's important to understand it in detail, not just skip to the 'important parts'.
So, a broader question: why do you want to do this? Did someone tell you to? Did you read about it somewhere? I recommend asking the person who told you to do this for more information, or reading more in that source about why/how it works-- and regardless, look up some more information and tutorials on it.
Hashing is very simple and very useful, but it's also very confusing if you don't know what it is-- it's not at all intuitive. Then at some point it will just make complete sense.
After you have a better idea of how hashing works (or as you are learning more) please take another look at my post above (maybe this one too) and your questions will probably be answered.
Also, create a very basic PHP file and try using the algorithms like this:
md5_file() and sha1_file() might be interesting to play with too.PHP Code:<?php
$input = 'Write anything here including strange characters';
echo 'MD5: ';
echo md5($input);
echo '<br>SHA1: ';
echo sha1($input);
?>
Last edited by djr33; 09-15-2012 at 04:11 AM.
Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
Posting Permissions
Reply With Quote
Bookmarks