smallseo.info

Secure hash and salt for PHP passwords

It is currently said that MD5 is partially unsafe. Taking this into consideration, I'd like to know which mechanism to use for password protection.

This question, Is “double hashing” a password less secure than just hashing it once? suggests that hashing multiple times may be a good idea, whereas How to implement password protection for individual files? suggests using salt.

I'm using PHP. I want a safe and fast password encryption system. Hashing a password a million times may be safer, but also slower. How to achieve a good balance between speed and safety? Also, I'd prefer the result to have a constant number of characters.

1. The hashing mechanism must be available in PHP
2. It must be safe
3. It can use salt (in this case, are all salts equally good? Is there any way to generate good salts?)

Also, should I store two fields in the database (one using MD5 and another one using SHA, for example)? Would it make it safer or unsafer?

In case I wasn't clear enough, I want to know which hashing function(s) to use and how to pick a good salt in order to have a safe and fast password protection mechanism.

Related questions that don't quite cover my question:

What's the difference between SHA and MD5 in PHP
Simple Password Encryption
Secure methods of storing keys, passwords for asp.net
How would you implement salted passwords in Tomcat 5.5

Sort Multi-dimensional Array by Value [duplicate]

Possible Duplicate:
How do I Sort a Multidimensional Array in PHP

How can I sort this array by the value of the "order" key? Even though the values are currently sequential, they will not always be.

Array
(
    [0] => Array
        (
            [hashtag] => a7e87329b5eab8578f4f1098a152d6f4
            [title] => Flower
            [order] => 3
        )

    [1] => Array
        (
            [hashtag] => b24ce0cd392a5b0b8dedc66c25213594
            [title] => Free
            [order] => 2
        )

    [2] => Array
        (
            [hashtag] => e7d31fc0602fb2ede144d18cdffd816b
            [title] => Ready
            [order] => 1
        )
)

PHP detecting request type (GET, POST, PUT or DELETE)

How can I detect which request type was used(GET, POST, PUT or DELETE) in php?

When to use self over $this?

In PHP 5, what is the difference between using self and $this?

When is each appropriate?

UTF-8 all the way through

I'm setting up a new server, and want to support UTF-8 fully in my web application. I have tried in the past on existing servers and always seem to end up having to fall back to ISO-8859-1.

Where exactly do I need to set the encoding/charsets? I'm aware that I need to configure Apache, MySQL and PHP to do this - is there some standard checklist I can follow, or perhaps troubleshoot where the mismatches occur?

This is for a new Linux server, running MySQL 5, PHP 5 and Apache 2.

What's the best method for sanitizing user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of html tags?

What is stdClass in PHP?

Please define what stdClass is.

PHP and Enumerations

I know that PHP doesn't have native Enumerations. But I have become accustomed to them from the Java world. I would love to use enums as a way to give predefined values which IDEs' auto completion features could understand.

Constants do the trick, but there's the namespace collision problem and (or actually because) they're global. Arrays don't have the namespace problem, but they're too vague, they can be overwritten at runtime and IDEs rarely (never?) know how to autofill their keys.

Are there any solutions/workarounds you commonly use? Does anyone recall whether the PHP guys have had any thoughts or decisions around enums?

Why shouldn't I use mysql_* functions in PHP?

What are the technical reasons why I shouldn't use mysql_* functions? (e.g. mysql_query(), mysql_connect() or mysql_real_escape_string())?

Why should I use something else even if they work on my site?

How to get the client IP address in PHP?

How can I get the client IP address using PHP?

I want to keep record of the user who logged into my website through his/her IP address.

Reference - What does this error mean in PHP?

What is this?

This is a number of answers about warnings, errors and notices you might encounter while programming PHP and have no clue how to fix. This is also a Community Wiki, so everyone is invited to participate in adding to and maintaining this list.

Why is this?

Questions like "Headers already sent" or "Calling a member of a non-object" pop up frequently on Stack Overflow. The root cause of those questions is always the same. So the answers to those questions typically repeat them and then show the OP which line to change in his/her particular case. These answers do not add any value to the site because they only apply to the OP's particular code. Other users having the same error can not easily read the solution out of it because they are too localized. That is sad, because once you understood the root cause, fixing the error is trivial. Hence, this list tries to explain the solution in a general way to apply.

What should I do here?

If your question has been marked as a duplicate of this, please find your error message below and apply the fix to your code. The answers usually contain further links to investigate in case it shouldn't be clear from the general answer alone.

If you want to contribute, please add your "favorite" error message, warning or notice, one per answer, a short description what it means (even if it is only highlighting terms to their manual page), a possible solution or debugging approach and a listing of existing Q&A that are of value. Also, feel free to improve any existing answers.

The List

• Nothing is seen. The page is empty and white. (also known as White Page/Screen Of Death)
• Code doesn't run/what looks like parts of my PHP code are output
• Warning: Cannot modify header information - headers already sent
• Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given a.k.a.
  Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource a.k.a.
  Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given (or similar variations)
• Warning: [function] expects parameter 1 to be resource, boolean given
• Warning: [function]: failed to open stream: [reason]
• Warning: open_basedir restriction in effect
• Warning: Division by zero
• Warning: Illegal string offset 'XXX'
• Parse error: syntax error, unexpected '['
• Parse error: syntax error, unexpected T_XXX
• Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE
• Parse error: syntax error, unexpected T_PAAMAYIM_NEKUDOTAYIM
• Parse error: syntax error, unexpected T_VARIABLE
• Fatal error: Allowed memory size of XXX bytes exhausted (tried to allocate XXX bytes)
• Fatal error: Call to a member function ... on a non-object
• Fatal Error: Call to Undefined function XXX
• Fatal Error: Cannot redeclare XXX
• Fatal error: Can't use function return value in write context
• Fatal error: Declaration of AAA::BBB() must be compatible with that of CCC::BBB() '
• Fatal error: Using $this when not in object context
• Notice: Array to string conversion
• Notice: Trying to get property of non-object error
• Notice: Undefined variable
• Notice: Undefined Index
• Notice: Undefined offset XXX [Reference]
• Notice: Uninitialized string offset: XXX
• Notice: Use of undefined constant XXX - assumed 'XXX'
• MySQL: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ... at line ...
• Strict Standards: Non-static method [<class>::<method>] should not be called statically

Also see

• Reference - What does this symbol mean in PHP?

How do I expire a PHP session after 30 minutes?

I need to keep a session alive for 30 minutes and then destroy it.

When should I use require_once vs include?

In PHP:

• When should I use require vs. include?
• When should I use require_once vs. require?

How to fix "Headers already sent" error in PHP

When running my script, I am getting several errors like this:

Warning: Cannot modify header information - headers already sent by (output started at /some/file.php:12) in /some/file.php on line 23

The lines mentioned in the error messages contain header() and setcookie() calls.

What could be the reason for this? And how to fix it?

How does 'foreach' actually work?

Let me prefix this by saying that I know what foreach is, does and how to use it. This question concerns how it works under the bonnet, and I don't want any answers along the lines of "this is how you loop an array with foreach".

For a long time I assumed that foreach worked with the array itself. Then I found many references to the fact that it works with a copy of the array, and I have since assumed this to be the end of the story. But I recently got into a discussion on the matter, and after a little experimentation found that this was not in fact 100% true.

Let me show what I mean. For the following test cases, we will be working with the following array:

$array = array(1, 2, 3, 4, 5);

Test case 1:

foreach ($array as $item) {
  echo "$item\n";
  $array[] = $item;
}
print_r($array);

/* Output in loop:    1 2 3 4 5
   $array after loop: 1 2 3 4 5 1 2 3 4 5 */

This clearly shows that we are not working directly with the source array - otherwise the loop would continue forever, since we are constantly pushing items onto the array during the loop. But just to be sure this is the case:

Test case 2:

foreach ($array as $key => $item) {
  $array[$key + 1] = $item + 2;
  echo "$item\n";
}

print_r($array);

/* Output in loop:    1 2 3 4 5
   $array after loop: 1 3 4 5 6 7 */

This backs up our initial conclusion, we are working with a copy of the source array during the loop, otherwise we would see the modified values during the loop. But...

If we look in the manual, we find this statement:

When foreach first starts executing, the internal array pointer is automatically reset to the first element of the array.

Right... this seems to suggest that foreach relies on the array pointer of the source array. But we've just proved that we're not working with the source array, right? Well, not entirely.

Test case 3:

// Move the array pointer on one to make sure it doesn't affect the loop
var_dump(each($array));

foreach ($array as $item) {
  echo "$item\n";
}

var_dump(each($array));

/* Output
  array(4) {
    [1]=>
    int(1)
    ["value"]=>
    int(1)
    [0]=>
    int(0)
    ["key"]=>
    int(0)
  }
  1
  2
  3
  4
  5
  bool(false)
*/

So, despite the fact that we are not working directly with the source array, we are working directly with the source array pointer - the fact that the pointer is at the end of the array at the end of the loop shows this. Except this can't be true - if it was, then test case 1 would loop forever.

The PHP manual also states:

As foreach relies on the internal array pointer changing it within the loop may lead to unexpected behavior.

Well, let's find out what that "unexpected behavior" is (technically, any behavior is unexpected since I no longer know what to expect).

Test case 4:

foreach ($array as $key => $item) {
  echo "$item\n";
  each($array);
}

/* Output: 1 2 3 4 5 */

Test case 5:

foreach ($array as $key => $item) {
  echo "$item\n";
  reset($array);
}

/* Output: 1 2 3 4 5 */

...nothing that unexpected there, in fact it seems to support the "copy of source" theory.

The Question

What is going on here? My C-fu is not good enough for me to able to extract a proper conclusion simply by looking at the PHP source code, I would appreciate it if someone could translate it into English for me.

It seems to me that foreach works with a copy of the array, but sets the array pointer of the source array to the end of the array after the loop.

• Is this correct and the whole story?
• If not, what is it really doing?
• Is there any situation where using functions that adjust the array pointer (each(), reset() et al.) during a foreach could affect the outcome of the loop?