Re: [PHP] Security issues with writing a login system?
What rand and chr do is create a char from a number. The number is randomly generated, and most of the chars you used are within the ASCII range 65 till 122. Basicly, it can randomly add another character within that range. Thats a LOT faster than creating a string, assign a position to each char at random and than cutting off most of the string till there is only one character left. String operations are quite slow, and your code requires about 20 random numbers and 2 string operations whereas mine only uses 1 random number and a single number -> char conversion, which in PHP's original language (C) is extremely fast. Not only does this require 10 times less operations, it also requires far less code:
PHP Code:
for($i = 1; $i < $length; $i++)
$char .= chr(rand(65, 122));
If you don't want chars 91 till 96 (which aren't alfanumeric chars technically speaking) you can quite simply exclude that range:
PHP Code:
for($i = 1; $i < $length; $i++)
$char .= rand(0,1) ? chr(rand(65, 90)) : chr(rand(97, 122));
Takes one more rand operation but you only get letters. The exact chars that are available can be found at Ascii Table
As for storing a password hash: like I said, it's the only thing that only the user in question knows. Alternatively you can create a random number, hash that, and store username - number relations in a database for instance, but even than someone could easily login as another user with a small amount of brute-forcing. The only thing you can be sure of the hacker does not know is the password of the user, since if he did he'd simply use that to login :wink:
Re: [PHP] Security issues with writing a login system?
Quote:
Originally Posted by
FragFrog
What rand and chr do is create a char from a number. The number is randomly generated, and most of the chars you used are within the ASCII range 65 till 122. Basicly, it can randomly add another character within that range. Thats a LOT faster than creating a string, assign a position to each char at random and than cutting off most of the string till there is only one character left. String operations are quite slow, and your code requires about 20 random numbers and 2 string operations whereas mine only uses 1 random number and a single number -> char conversion, which in PHP's original language (C) is extremely fast. Not only does this require 10 times less operations, it also requires far less code:
PHP Code:
for($i = 1; $i < $length; $i++)
$char .= chr(rand(65, 122));
If you don't want chars 91 till 96 (which aren't alfanumeric chars technically speaking) you can quite simply exclude that range:
PHP Code:
for($i = 1; $i < $length; $i++)
$char .= rand(0,1) ? chr(rand(65, 90)) : chr(rand(97, 122));
Takes one more rand operation but you only get letters. The exact chars that are available can be found at
Ascii Table
As for storing a password hash: like I said, it's the only thing that only the user in question knows. Alternatively you can create a random number, hash that, and store username - number relations in a database for instance, but even than someone could easily login as another user with a small amount of brute-forcing. The only thing you can be sure of the hacker does not know is the password of the user, since if he did he'd simply use that to login :wink:
Yea, I re-wrote one like that but with 0 - 2, so I could get the set between 48 - 57, 65 - 90 and 97 - 122.
Honestly, I did not make the one above - A friend did, I dont know why he used that method.
edit:
PHP Code:
function GenerateRandomString($Length)
{
$String;
for ($i=0;$i<$Length;$i++)
{
$Selection = rand(0,2);
if ($Selection == 0)
{
$Position = rand(65,90);
} else if ($Selection == 1)
{
$Position = rand(97,122);
} else
{
$Position = rand(48,57);
}
$String .= chr($Position);
}
return $String;
}
( Not tested, havnt had time yet )
