logs archiveIRC Archive / Freenode / #php / 2015 / August / 4 / 1
fabienwang
dunno I use sha512-crypt
voodookobra
why?
teresko
fabienwang: hshing functions are not meant for storing passwords
they are made to be FAST
voodookobra
sha512crypt is itereated
it's one of the crypt() options
but it's not the optimal solution
use password_hash() and password_verify()
fabienwang
I can't
TML
argon2 is what we'll likely switch password_hash to
like I said, I haven't had time to port it to C yet
ircmaxell
TML: not unless they cahnge the algorithm. Today it's not suitable
fabienwang
I use this hash because it's fair enough and supported by all services I provide (ftp/xmpp/smtp/pop3 and imap)
binauralman
im building an app, the erd footprint is currently small but growing, i want the application to be fast. does utilizing an ORM have a large effect on the end outcome of speed vs straight sql queries?
         

EGreg
I am willing to use anything that is available on ALL PHP INSTALLATIONS
bcrypt sadly is an extension that must be installed
ircmaxell
EGreg: no it's not, it's available in ALL PHP 5.3.0+ installs
EGreg
so I fall back to regular sha1 with salt and key strengthening, instead of refusing to work
TML
ircmaxell: fair enough - I'll provide a PHP port at some point; I just assumed you'd switch to it :)
ircmaxell
TML: I will gladly switch to it when it becomes good enough to switch to ;-)
EGreg
btw ircmaxell knows what he's talking about when it comes to using crypto in php :)
at least it seems so from his web writings for the past 4 years
"Earlier versions of PHP acted weirdly if bcrypt support was not compiled in from scratch. Starting with 5.3.0, BCrypt is included (and enabled) by default. But older versions may or may not have support. The problem here is that if you used a bcrypt style salt in crypt() when bcrypt was not available, it wouldn't error out. Instead, it would fall back to using DES (which is extremely weak). Here's an example: "
fabienwang
hey ircmaxell :)
riano
howdy folks. Anyone here exceptionally skilled in sockets and or daemons in PHP? I'm trying to have a daemon be able to reload itself without losing the connected socket
EGreg
I agree with that
TML
EGreg: Yes, I'm the one who fixed that.
EGreg
Oh, very awesome. How many PHP committers are in this channel?
Gatomon
https://edit.yahoo.com/config/child register 13 - https://edit.yahoo.com/config/child trap 7
LOL
TML
a few
EGreg
Here is where I admit a sin: I "rolled my own crypto" for hashing passwords, in accordance with best practices that don't use bcrypt
https://github.com/EGreg/Platform/blob/master/platform/plugins/Users/classes/Users/User.php#L120
fabienwang
TML, have you worked on phpng branch before it was merged ?
EGreg
I use the user id as the salt
The user id is randomly generated at the time that the user record is inserted into the db
TML
fabienwang: No
EGreg
Here is the algorithm: https://github.com/EGreg/Platform/blob/master/platform/plugins/Users/classes/Users.php#L1332
TML
fabienwang: I don't really have anything to do with any of the stuff that changed in ng
_blizzy_
why is this taking a long time to load? https://gist.github.com/NotBlizzard/6764278a2f625679c0ea
         

EGreg
TML: do you think https://github.com/EGreg/Platform/blob/master/platform/plugins/Users/classes/Users.php#L1332 is relatively secure?
TML
EGreg: I don't really have the time to do that analysis right now, sorry
EGreg
Okay.
Essentially by default it runs sha1 1103 times and uses a salt whichi t appends to the passphrase.
(It also encourages users to use passphrases instead of passwords)
The hash function, number of times it is run, the salt length, are all configurable by the app.
Gatomon
EGreg, about this whole key strengthening business, I'm getting rready to show something rather scary.
EGreg
ok let me know when u do
TML
ircmaxell: Was there a specific thing about argon2 you didn't care for? I've been trying to wrack my brains to think of what your objection(s) might be, but coming up blank - however, I only briefly glanced at the C++ implementation.
ircmaxell
TML: really it has to do with how optimizable it is on GPUs at low memory settings
TML
(which was kind of crap, and is part of why I will be porting it to C before adding it to PHP)
_blizzy_
could anyone help me figure out why https://gist.github.com/NotBlizzard/6764278a2f625679c0ea is taking so long to load?
fabienwang
EGreg, your app does not force login or register on https.
TML
_blizzy_: Well, that would run until the IRC server disconnects you.
fabienwang
_blizzy_, freenode is not fast as well.
Gatomon
(Action) wonders if https://github.com/EGreg/Platform/blob/1cfd98e481ce756cf0fec21b5062ee58bb0fbff0/platform/plugins/Users/classes/Users.php can result in a null byte.
EGreg
fabienwang: it should force https?
dn
fabienwang: do you know how I would go about if I have more than 1 element in the xml? Because when using "$xml->children() as $points", i can see it's content with print_r - but if I then use "$points->children()" it just outputs "SimpleXMLElement Object ( )" like 10 times (1 time for every line).
EGreg
fabienwang: I agree that without https, the account can be hijacked by MITM
the framework tries to hash the password on theclient at least
Gatomon
My gosh it's like a maze inside of a maze reading this code.
EGreg
so the password itself isn't compromised
_blizzy_
TML, fabienwang, thanks.
ircmaxell
fabienwang
EGreg, MITM or anyone on the same local network (ie. school/univ or company).
EGreg
right that's what I mean by MITM also
fabienwang
dn, hummm I would have to try. I helped you with a code from 2011 and didn't use simplexml since&
EGreg
they'd have to see what your browser sent
does wordpress work without https
for login?
I am pretty sure it does :-/
yep just checked.
dn
fabienwang: oh.. well any help is appreciated, I'm really stuck here. could a solution be to convert the .xml table into a array and then just use that in the loop?
fabienwang
dn, you can use getName() method to know where you are.
whoever
when a client connects to the server, is there a way of getting their time to see if they alterd their clock or not
fabienwang
example: foreach ($xml->children() as $child) then $child->getName() will output 'points'
and for points children, it will output matt lisa and frank i guess.
Alphos
whoever short answer : no. why would you want to anyway ?
whoever
Alphos: i want to check files last mod time against the server clock and if they are after then do something if not then don't do anything
Alphos
whoever why would you need your user's time for that ?
whoever
Alphos: wouldn't a different timezone produce a different time and day
Alphos
on your server ?
fabienwang
dn: see working code here: http://pastebin.com/gYCm7VGr
whoever
the file would be on a local box but then when you connect to a server in there there is 2 different timezones
Alphos
whoever you're not really making any sense...
TML
dn: What are you trying to do?
dn
fabienwang: giving it a go now
whoever
Alphos: I(the server) creates a socket with you(client) , a few days go by, we reconnnect, and i want to varify that your clock is not alterd before acpting the file
_blizzy_
I'm getting "fwrite() expects parameter 1 to be resource, boolean given" on line 26 of this file and IDK why. https://gist.github.com/NotBlizzard/6764278a2f625679c0ea
Alphos
whoever why would you want to do that ?
not only the "verify that the clock isn't altered" part, but also the "send a file over a socket that's been up for days" part
whoever
to exchange information
\malex\
_blizzy_: you aren't checking that fsockopen() succeeded
TML
_blizzy_: Well, ask yourself what it is that you're writing to which should be a resource, but is a boolean instead
\malex\: >:I
fabienwang
whoever, never use client clocks, that's all.
Alphos
whoever yes, as far as communication protocols go, they're all about exchanging information
\malex\
TML: sorry :D
_blizzy_
\malex\, TML, oh, thank you.
whoever
thaught it was implied tha the socket would be down after the file was created
« prev 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 next »