7

I've done plenty of googling and whatnot and can't find quite what I'm looking for...

I am working on tightening up the authentication for my website. I decided to take the user's credentials, and hash/salt the heck out of them. Then store these values in the DB and in user cookies. I modified a script I found on the PHP website and it's working great so far. I noticed however when using array_rand(), that it would select the chars from the predefined string, sequentially. I didn't like that, so I decided to use a shuffle on the array_rand()'d array. Worked great.

Next! I thought it would be clever to turn my user inputted password into an array, then merge that with my salted array! Well, I am having trouble turning my user's password into an array. I want each character in their password to be an array entry. IE, if your password was "cool", the array would be, Array 0 => c 1 => o 2 => o 3 => l, etc etc. I have tried word to split up the string then explode it with the specified break character, that didn't work. I figure I could do something with a for loop, strlen and whatnot, but there HAS to be a more elegant way.

Any suggestions? I'm kind of stumped :( Here is what I have so far, I'm not done with this as I haven't progressed further than the explodey part.

$strings = wordwrap($string, 1, "|");
echo $strings . "<br />";
$stringe = explode("|", $strings, 1);
print_r($stringe);
echo "<br />";
echo "This is the exploded password string, for mixing with salt.<hr />";
Improve this question
0

3 Answers 3

Reset to default
25

The php function you want is str_split

str_split('cool', 1);

And it would return, is used as above

[0] => c
[1] => o
[2] => o
[3] => l
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This works PERFECTLY! Thank you very much Colum! Always something to learn :) Sending good (((vibes))) your way!
guys also dont use explode it cant have an empty delimter :) just felt like mentioning
3

Thanks to PHP's loose typing if you treat the string as an array, php will hapilly do what you would expect. For example: 

$string = 'cool';
echo $string[1]; // output's 'o'.
Improve this answer

3 Comments

This is not related to loose typing, it's just called substring access and is not to be mistaken as array.
Hey bulk, thanks for the information. I had explored that actually but trying to get the word split into an actual array for array_rand just wasn't working quite well. Unless of course array_rand can treat a string as an array... I just figured it wouldn't. Thank you for the info regardless :)
Sorry for the double, wish I could edit, I meant array_merge. Urf
3

Never, EVER implement (or in this case, design too!) cryptographical algorithms unless you really know what you are doing. If you decide to go ahead and do it anyways, you're putting your website at risk. There's no reason you should have to do this: there is most certainly libraries and/or functions to do all of this sort of thing already.

Improve this answer

4 Comments

Hey thanks for the heads up. I will ultimately be using MD5 to hash the mixed up salt/password. The plan is ultimately, to create a salt, mix the password, md5 the salt, md5 the password, then put the hash of each together and hash that string, and then use that as the DB credentials/cookie credentials. It is my hope that this will prevent rainbow table attacks against user's with common passwords and/or user names. It is then in my ultimate hope that I can implement ssl/tls to protect the transmission of the cookie's details to prevent MITM. Does that sound ok? Thanks :)
I've heard that MD5 is really recommended much because of growing threats against it. I've heard the same of SHA1. Would you recommend SHA256? Isn't it true though that MD5's only inherent weakness is weak user input itself? This is why I plan to use a 30 character salt. I'm no guru by any means though. Always learning!
You could very well be right. I'm not at all a cryptography expert so I can't speak on SHA256, but what I've read is that MD5 is not very 'collision-resistant'. To over-simplify a lot, imagine a hashing algorithm that produces a single-bit hash, 0 or 1. Because there are only two possible hashes and an infinite number of inputs, there will be many collisions. Collision-resistance refers to an equal (or close to) number of "0 hashes" and "1 hashes" for any sort of input. MD5 does not have this property. This paper outlines this vulnerability.
@Shawn: For a straight-to-the-point article on how to store password, see codahale.com/how-to-safely-store-a-password (Then get a bcrypt implementation for PHP here openwall.com/phpass) When you need to help your users create strong passwords, see XKCD xkcd.com/936

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.