http://bbgames.disqus.com/enSat, 14 Mar 2009 14:05:48 -0000http://buildingbrowsergames.com/2008/07/15/securing-our-hashes-php/#comment-7216443Ah ok :).<br>Anyway, my salt (which I made before I read this thanks to the user comments on other pages) is short, and I probably do not need it anywhere else than on the login and register page. <br>Thanks for your reply!MrLolligeSat, 14 Mar 2009 14:05:48 -0000http://buildingbrowsergames.com/2008/07/15/securing-our-hashes-php/#comment-7215554The benefits of turning it into a configuration value aren't so much in<br>securing it, as they are in not repeating it everywhere - if your salt is<br>'thequickbrownfoxjumpedoverthelazydog', do you really want to type that<br>everytime you need it?bbgamesSat, 14 Mar 2009 13:12:13 -0000http://buildingbrowsergames.com/2008/07/15/securing-our-hashes-php/#comment-7214651you could(and probably should) turn the salt into a configuration parameter<br><br>Why? I mean, if I change the salt value (if someone figured it and modified his dictionary to it), noone would be able to login any more....MrLolligeSat, 14 Mar 2009 12:13:10 -0000http://buildingbrowsergames.com/2008/07/15/securing-our-hashes-php/#comment-4077067It doesn't matter much, but it isn't necessary to nest the md5() function within mysql_real_escape_string() as you will never have to escape a hexadecimal string. <br><br>While it usually works regardless, HTTP/1.1 requires you to use an absolute URL in header redirects. Example from php manual below:<br><br>/* Redirect to a different page in the current directory that was requested */<br>$host = $_SERVER['HTTP_HOST'];<br>$uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');<br>$extra = 'mypage.php';<br>header("Location: <a href="http://%24host%24uri/%24extra%22%29;" rel="nofollow">http://$host$uri/$extra");</a><br>exit();Chris HepnerSun, 30 Nov 2008 19:08:12 -0000