\$\begingroup\$
\$\endgroup\$
Any major security risks? And please don't get angry over my novice log system.
<?php
function makesalt($lg)
{
$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-';
$sz = strlen( $chars );
$str = '';
for( $i = 0; $i < $lg; $i++ ) {
$str .= $chars[ rand( 0, $sz - 1 ) ];
}
return $str;
}
function duelsha($th)
{
$tem = hash('sha512', $th);
$tem2 = md5($tem);
return hash('sha256', $tem2);
}
function shasalt($ht)
{
$salt = makesalt(30);
return duelsha($ht . $salt) . '|' . $salt;
}
function mysqlsan($ss)
{
if (get_magic_quotes_gpc()) $ss = stripslashes($ss);
return mysql_real_escape_string($ss);
}
function htent($st)
{
return htmlentities($st);
}
function sqlhtml($sm)
{
return htent(mysqlsan($sm));
}
function logs($tl)
{
$fh = fopen("server.log", 'w') or die("File error");
fwrite($fh, $tl) or die("File error");
fclose($fh);
}
?>
Jamal
35.2k13 gold badges134 silver badges238 bronze badges
1 Answer 1
\$\begingroup\$
\$\endgroup\$
0
You home brewed security hashes and such are a big NO. Please, check here and here for a good read regarding that. Also, please do not hash a hash, that can lead to collisions and should be avoided! Using a method such as password_hash() creates a salt for you, therefore you shouldn't have to make one on your own.
You're using mysql_real_escape_string() which is not the way to go. If possible, move away from that and onto mysqli or PDO.
And then your function htent() is sort of redundant. You don't have anything else in the function, so it shouldn't be needed.
answered Feb 18, 2014 at 1:48
lang-php