3
Quote:
trabis wrote:
Even if a pass is 32 characters you would know the diference.
If not, then lets say my pass is:
60d605-debf95b-04881-27935-8dbf-db7e1
How would you deal with it then?
Sorry, I´m not sure if i´m understanding it right.
Actually trabis there is no way of testing a hash and to know that it is a hash, say you had a routine that needed and md5 string and the string test was something like this:
For example with this url you can only test it this way:
Quote:
/rankchange.php?token=60d605debf95b04881279358dbfdb7e1
if (strlen($_GET['token'])==32)
beep;
then in this example it wouldn't be possible to pass a union into the $_GET['md5'] but not all programmer test the input this means that it introduces security issues into the url so people can retrieve information with SQL Ingestion.
It also means there is a way of identifing a MD5 checksum from apart the length.. Imageing your password is something like
mypasswordisorwasownedtosomeguyisex
it is 32 chars, this means it would pass the same as:
60d605debf95b04881279358dbfdb7e1
Cause there is no way normally to test for an md5 or sha1 hashing it has no inherited checksum. The Rainbow Stripe method is used in alot of software, sometime a space sometimes a colon or a dash. It is the proper way of handling a hash.
See now if you want to see if the url contains a valid MD5 so there is no SQL Ingestion etc with the XoopsRainbow class a test of a URL passed
ie:
Quote:
/rankchange.php?token=60d605-debf95b-04881-27935-8dbf-db7e1
$rainbow = new XoopsRainbow();
if ($rainbow->IdentifyHash($_GET['token'])=='md5')
beep;
Which means you have an affirmed check that it is the correct type of hash and no one is attempting to dummy rig the system.
