3 comments

[ 4.3 ms ] story [ 19.2 ms ] thread
yikes, a php security site telling people to use sha1().

don't use sha1 hashes for storing passwords, use bcrypt. http://www.openwall.com/phpass/

or a quick code snippet:

        for ($salt = "", $x = 0; $x++ < 40; $salt .= chr(mt_rand(0,255)))
            ;

        $hashed = crypt($password, '$2a$08$' . hash("whirlpool", $salt));
I hope this article is really old...at least then the author can claim ignorance.

phpsec should update this article with a more secure example.

Well, bonus points for including SQL that doesn't suffer from SQL injection issues, but every one of the suggestions is wrong.

I'm personally confused by this comment:

  Note: Using MySQL's password() function in your own applications isn't recommended - the algorithm used has changed over time and prior to 4.1 was particularly weak.
So.. if you know it's not recommended, why even include an example of it?