http://bbgames.disqus.com/enWed, 24 Aug 2011 12:44:49 -0000http://buildingbrowsergames.com/2008/07/15/securing-our-hashes-php/#comment-294491232<p>Well, this post is 2 years old now, but still for those reading it now: this is not the proper way of storing salted hashes.</p><p>The real purpose of salt is to render hashes of the same password different from each other so that if two users have the same password their hashed values would still look different.</p><p>A proper implementation would add a random salt generated on the fly for each user, and store that value in a 'salt' column in the db.</p><p>Then you can compute the proper hash fetching the salt associated with the username, then joining it with the password the user typed in.</p><p>Disqus is too laggy today for me to write proper code, but i doubt anyone will be reading this anyway.</p>ValerioDeCamillisWed, 24 Aug 2011 12:44:49 -0000http://buildingbrowsergames.com/2008/07/15/securing-our-hashes-php/#comment-7216443<p>Ah ok :).<br>Anyway, my salt (which I made before I read this thanks to the user comments on other pages) is short, and I probably do not need it anywhere else than on the login and register page. <br>Thanks for your reply!</p>MrLolligeSat, 14 Mar 2009 14:05:48 -0000http://buildingbrowsergames.com/2008/07/15/securing-our-hashes-php/#comment-7215554<p>The benefits of turning it into a configuration value aren't so much in<br>securing it, as they are in not repeating it everywhere - if your salt is<br>'thequickbrownfoxjumpedoverthelazydog', do you really want to type that<br>everytime you need it?</p>LukeSat, 14 Mar 2009 13:12:13 -0000http://buildingbrowsergames.com/2008/07/15/securing-our-hashes-php/#comment-7214651<p>you could(and probably should) turn the salt into a configuration parameter</p><p>Why? I mean, if I change the salt value (if someone figured it and modified his dictionary to it), noone would be able to login any more....</p>MrLolligeSat, 14 Mar 2009 12:13:10 -0000http://buildingbrowsergames.com/2008/07/15/securing-our-hashes-php/#comment-4077067<p>It doesn't matter much, but it isn't necessary to nest the md5() function within mysql_real_escape_string() as you will never have to escape a hexadecimal string.</p><p>While it usually works regardless, HTTP/1.1 requires you to use an absolute URL in header redirects. Example from php manual below:</p><p>/* Redirect to a different page in the current directory that was requested */<br>$host = $_SERVER['HTTP_HOST'];<br>$uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');<br>$extra = 'mypage.php';<br>header("Location: http://$host$uri/$extra");<br>exit();<br></p>Chris HepnerSun, 30 Nov 2008 19:08:12 -0000