[PHP] Neat Little Hashing Function

[triston220]

Here's a little function I wrote for use in one of my projects:

PHP Code:

function Protect($string, $salt = "FGTERTYBE5434576876897RETBREY"){
$string = str_rot13(hash("whirlpool", $salt . str_rot13($string)));
Return $string; 


Usage:

Hashing with the default salt:

PHP Code:

Protect("PAssw0rd"); 


Hashing with a custom salt:

PHP Code:

Protect("PassW0rd", "MYsA1t"); 


Enjoy.

[Dentafrice]

I really don't see why you posted this..? You just usedstr_rot13 and the hash function withwhirlpool.. you didn't write the hashing, you just wrote a function to call it..

[triston220]

I really don't see why you posted this..? You just usedstr_rot13 and the hash function withwhirlpool.. you didn't write the hashing, you just wrote a function to call it..

Which is less time consuming:

PHP Code:

$string=str_rot13(hash("whirlpool", "My Salt Here" .str_rot13("My Password"))); 


OR:

PHP Code:

$String = Protect("My Password", "My Salt Here"); 


[Dentafrice]

Which is pointless? Yours. Why are you shifting the characters any way? Anyone who knows that they are shifted will be able to just reverse the shifting and it's back to being pointless.

I suggest you take a few minutes to read up on encryption and hashing algorithms and learn a tad bit before showing off things that are pointless.

[triston220]

Which is pointless? Yours. Why are you shifting the characters any way? Anyone who knows that they are shifted will be able to just reverse the shifting and it's back to being pointless.

I suggest you take a few minutes to read up on encryption and hashing algorithms and learn a tad bit before showing off things that are pointless.

By your reasoning, you might as well store passwords in plain text. Sure, if you knew you it was shifted you can reverse it for the second shift, but not for the first shift.

[HotelUser]

[@]@triston220[/@] It's good to see you're investing time in securing your scripts, I take it you're still learning and that's fine. If you want to protect user passwords further you could look into adding a salt, or reading up on encrypting and hashing (stackoverflow is usually a good place to see how other folks secure data, something like this http://stackoverflow.com/questions/3...a256-or-sha512) good luck

I'd also pay no attention to how dentafrice worded his post. He means well I'm sure, I think he probably just doesn't realize that the way he worded his post sounds slightly rude/arrogant.

[triston220]

[@]@triston220[/@] It's good to see you're investing time in securing your scripts, I take it you're still learning and that's fine. If you want to protect user passwords further you could look into adding a salt, or reading up on encrypting and hashing (stackoverflow is usually a good place to see how other folks secure data, something like this http://stackoverflow.com/questions/3...a256-or-sha512) good luck

I'd also pay no attention to how dentafrice worded his post. He means well I'm sure, I think he probably just doesn't realize that the way he worded his post sounds slightly rude/arrogant.

Thanks. The script does use a salt though. Encryption is defiantly a viable option though.

[Dentafrice]

Of course I mean well.

Anyways, the rotation is pointless and stupid. Trust me. You're using whirlpool and a salt, that's good enough. If someone gets access to your database, in most cases they will most likely already or in the future have access to your files and program code.

Meaning:

1) They have found a vulnerability in your site, have access to your files and read a configuration file to find MySQL details and then dump your database.

2) They have FTP and are using it maliciously to now read your configuration file and dump your database.

3) They have found exploits and now have access to your database and may or may not eventually get your files.

So either way, the algorithm in your program's code of shifting the string is pointless.. stick with a GOOD user-variable'd salt and a good hashingalgorithmand that's all you need.

It's obvious you're just young and learning, and do not really know a lot about PHP, encryption, hashing, or security. That's fine. But take my word for it when I tell you things... I've been there, done that, too many times in my near decade of programming.

[triston220]

Of course I mean well.

Anyways, the rotation is pointless and stupid. Trust me. You're using whirlpool and a salt, that's good enough. If someone gets access to your database, in most cases they will most likely already or in the future have access to your files and program code.

Meaning:

1) They have found a vulnerability in your site, have access to your files and read a configuration file to find MySQL details and then dump your database.

2) They have FTP and are using it maliciously to now read your configuration file and dump your database.

3) They have found exploits and now have access to your database and may or may not eventually get your files.

So either way, the algorithm in your program's code of shifting the string is pointless.. stick with a GOOD user-variable'd salt and a good hashingalgorithmand that's all you need.

It's obvious you're just young and learning, and do not really know a lot about PHP, encryption, hashing, or security. That's fine. But take my word for it when I tell you things... I've been there, done that, too many times in my near decade of programming.

SQLi = Access to database.
Shelling = Access to files, and therefore the database too.

It all depends on the exploit used. If it's been SQL injected, (Which, hopefully it won't have been, if you sanitize your input) an intruder wouldn't know it's been rotated. This would delay, or fully prevent, reversal of the original input.

[Dentafrice]

It would delay. Rotational patterns have always been found and identified. Since the earliest of caesarciphers. Might as well give up, not going to win, kid.