My server host had php version 5.2.17. I am using a random token and used openssl_random_pseudo_bytes in my function.
openssl_random_pseudo_bytes( $length);
Trying to run this code from Scott's answer.
It is running well on my localhost with higher php version.
Other than upgrading my server php version. What is an alternative function for openssl_random_pseudo_bytes?
Update: Using mt_rand, rand or uniqid, how can I generate secure unique tokens?
As of now, I am using this line of code:
$token = md5(uniqid(rand(), true));
$thetoken = $token.$user_id;
Thank you for any help!
I am using 5.6 but have also been looking for ways to create secure and unique tokens as I am unable to get the openssl_random_pseudo_bytes function to work. I have run across paragonie's random_compat at github which should allow you to use random_bytes() and random_int() (both only available with PHP7). They do say it should be able to be used with older 5.x versions of PHP in theory, though they do suggest updating to a current stable version of php. https://github.com/paragonie/random_compat
Here is a link to another stack overflow answer that suggests using random_bytes() as $token = bin2hex(random_bytes($length));
best practice to generate random token for forgot password
And also the link i found suggesting paragonie's random_compat
https://akrabat.com/random_bytes-in-php-5-6-and-5-5/
https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php
the Alternative way for openssl_random_pseudo_bytes(10) is something like this decbin(rand(0,1024)) in php 5.X
Related
I'm trying to use Argon2id in place of bcrypt to hash password. I'm using PHP 7.2.33 and Laravel 7.28. Can you please help me to enable argon2id.
currently, I just tried with the below code
return password_hash('password', PASSWORD_ARGON2ID);
Can you please help me. Thank you
https://www.php.net/manual/en/function.password-hash.php
PASSWORD_ARGON2I - Use the Argon2i hashing algorithm to create the
hash. This algorithm is only available if PHP has been compiled with
Argon2 support.
You have to compile php with Argon2 to be able to use it.
Here is a tutorial:
https://framework.zend.com/blog/2017-08-17-php72-argon2-hash-password.html
You use
return password_hash('password', PASSWORD_ARGON2I);
instead of
return password_hash('password', PASSWORD_ARGON2ID);
Because, PASSWORD_ARGON2ID constant is supported for PHP version >= 7.3.
In the case you want to use PASSWORD_ARGON2ID, you have to upgrade your PHP version.
Is it possible to encrypt a PHP code file without installing php.in extensions?
I have a script of 5 php file and I want to create a copy to give away with the code protected. So they can access the script from the front-end but the back-end (code) is encrypted. I have found alot of software that allow encryption of php be but they all require installation of php.in extensions.
Is there anything embedded into Php 5.5 that would work similar to MD5 password encryption?
Is there anything embedded into Php 5.5 that would work similar to MD5
password encryption?
Simple answer: No.
Every encoder I have seen (e.g. http://www.ioncube.com/) uses some kind of php extension so your code will need a special enviroment to be executable.
There are some so called obfuscators (e.g. http://www.gaijin.at/olsphpobfuscator.php is free) out there that will not encrypt your code but rename variables and functions/methods so that your code will become much harder to read.
One thing to keep in mind is that debugging errors of encrypted/obfuscated code usually is much harder, even for the developer.
No because MD5 is a one-way hash, you can't reverse the string. The reasons these extensions exist are so that the code can be encrypted and decrypted so that PHP can execute it.
You might want to look at a similar question here: Best solution to protect PHP code without encryption
I'm using PHPSecLib for SSH connection through PHP but I have this error :
Notice: No compatible server to client encryption algorithms found in C:\Program Files (x86)\EasyPHP-DevServer-14.1VC9\data\localweb\nodejs\includes\classes\net\Net\SSH2.php on line 1170
Why ?
Thanks
Quoting this post,
So phpseclib determines which symmetric key algorithms it can use by seeing which ones are includable. The following links demonstrate how this is done:
https://github.com/phpseclib/phpseclib/blob/efd3b96dc8e378a5155cb42f4869de85f4153135/phpseclib/Net/SSH2.php#L1110
https://github.com/phpseclib/phpseclib/blob/efd3b96dc8e378a5155cb42f4869de85f4153135/phpseclib/Net/SSH2.php#L3775
If you're using PHP 5.4 then it's essentially doing stream_resolve_include_path('Crypt/RC4.php'). If PHP doesn't think it's includable than it's hard to argue with that.
Could be your include_path that's not correctly set as well.
I have been reading up on password encrypting, hashing etc.
I saw this fantastic response https://stackoverflow.com/a/6337021/2823458 and have a couple of questions:
First: Do I need to have access to my web server root to install compatibility libraries? (I assume I do but only have access to PHP 5.3.12 through my host and want to use $password_hash to hash using bcrypt). Which brings me to:
Second: If I have to be root on web server (not happening!) then would I just include Andrew's bcrypt class ad refer to it using (to quote):
$bcrypt = new Bcrypt(15);
$hash = $bcrypt->hash('password');
$isGood = $bcrypt->verify('password', $hash);
Obviously using my password variable in place of 'password'?
Clearly I'm pretty new to developing PHP and trying to ask the right people the right questions, If I'm miles off please point me in the right direction!
bcrypt is not available for PHP 5.3.x. You need to use the library from ex. https://github.com/ircmaxell/password_compat
You don't need to install anything on the server and you don't need to have root access.
Just install the package and start using the library :)
You can either use https://getcomposer.org (Dependency Manager for PHP) or just download and include it in your project.
When you upgrade your server to php 5.5 you can use crypt out of the box, as it has been implemented as part of the language.
I just installed xampp, so i can test my website offline. Now i get numerous Undefined index or Undefined variable errors, which i know how to fix. Now logging in works online but with xampp it doesn't work. The code isn't wrong. I imported the database online to offline. I've pin pointed what is wrong but don't know how to solve it.
here is the code where i test if the login details are correct.
$Blowfish_Pre = '$2a$05$';
$Blowfish_End = '$';
$hashed_password = crypt($password, $Blowfish_Pre . $salt . $Blowfish_End);
//check to see if they match
if ($username==$dbusername&&$hashed_password==$dbpassword){
Offline the echoed $hashed_password for the account is $2a$05$CEDaiUETMOTuZ1tzSX1dW.1rmbYfiu1Hf6jnZyJ5DouQOIHEPwXiW
Online the echoed $hashed_password for the account is
$2J7rPSsTYb1Q
I've determined crypt is working differently online then it is offline? Why is this and how can i solve it?
crypt() uses different hash algorithm depending on what the system provides. Starting with PHP 5.3 it "contains its own implementation and will use that if the system lacks of support for one or more of the algorithms."
Your offline version does use blowfish as you can see at the start $2a$. Your online version does use some fallback.
See: http://php.net/manual/en/function.crypt.php
I am unable to comment..yet, so I place this answer in hope I can save some people some time.
I had the same question asked, and the chosen answer led me to the solution. But since it did not provide my ultimate solution, I thought I would share to save someone time.
My wamserver was PHP 5.38
my production server I found out was 5.2x
I simply asked them to upgrade me to the latest version, which was 5.4.22...and that solved the issue. The same code started kicking out 60 character hashes again.
So I would bet that if you have this same occurrence, upgrade the server acting up to the latest version of PHP or something over 5.3 and you should be good.