Dec 8

A few months ago I read this excellent article on password hashing schemes and I found some things out that I hadn't previously thought about. For instance, this sounds like a pretty novel thing, but speed in a hashing algorithm is not what you're looking for, and some hashing algorithms are much slower than others by design. Well, the other day someone on IRC didn't believe that crypt() would take a significant time more than md5(). Well, of course, I had to test it. So here's what I came up with to benchmark the two:

$t = microtime(true);
for($i=0;$i<5000;$i++){
	$m = md5('password');
}
$diff = microtime(true) - $t;

$t2 = microtime(true);
for($i=0;$i<5000;$i++){
	$m = crypt('password');
}
$diff2 = microtime(true) - $t2;
echo("MD5: " . $diff . "\\n");
echo("crypt (DES): " . $diff2 . "\\n");
echo("MD5 was " . $diff2/$diff . " times faster than crypt");

My average results with this say that md5() is something close to 125 times faster than crypt(). If you were just hashing one password, the difference would be negligible to the user. However, if someone is trying to brute one versus the other, the time will definitely make a difference. The moral of the story? Sometimes slower is better.

I apologize to any cryptographers who were hurt while reading this post; it's not very scientific, but it is the simplest way I can think of to demonstrate the time difference between these two algorithms. I'm sure you could do it better, and I encourage anyone who knows more than I do to let me know in the comments.

Posted in PHP, Security | 5 Comments »
Nov 18

I had a project I was working on yesterday and I needed to sort out an array in order of most to least repeated, so I came up with this:

$array = array_count_values($array);
array_multisort($array, SORT_DESC);

If you don't want the frequency that they occur in as the value, you can do this:

$array = array_count_values($array);
array_multisort($array, SORT_DESC);
$array = array_keys($array);

Hope this helps someone. :)

Posted in PHP | 2 Comments »
Nov 4

Have you ever wanted to get the key name AND the value of an array for use in a loop? You might have done something like this (I know I have):

$keys = array_flip($array);
foreach($array as $a){
	echo($keys[$a] . "-" . $a . "\\n");
}

Why is this bad? It uses almost twice as much memory as this next method. The following will produce the same output as the above with less code and less memory:

foreach($array as $k=>$v){
	echo($k . "-" . $v . "\\n");
}

Essentially, this second method just takes the key and the value and assigns them through each iteration through the loop, rather than having to go through each index in two separate arrays. Hope this is useful to someone (it was to me) :)

Posted in PHP | No Comments »
Oct 28

Anyone who wants to SEO optimize their website or blog knows that they need to redirect all users to the same place so that search engines don't come up with duplicate information. It's very easy to do with .htaccess files, but if you aren't able to make those, you can also do it with PHP.

$site = "mysite.com";
if(strpos($_SERVER['HTTP_HOST'], "www.") !== 0){
	header("Location: http://www." . $site . $_SERVER['REQUEST_URI']);
}

Just change the $site variable, put it in the header of your site, and you're done :)

Posted in PHP | No Comments »
Oct 20

Everyone's seen the following in almost every SQL injection tutorial on the planet:

UNION ALL SELECT 0,0,0,0,0 FROM users

This is the standard method of SQL injection: slide in a UNION statement to join two SELECT statements together and thus get the data you're looking for. This is fun, but it often produces ugly and hard to interpret results. Read the rest of this entry »

Posted in PHP, Vulnerabilities | No Comments »

« Previous Entries Next Entries »