details about hash

8/3/2019 Details About Hash

1/45

Code 9: get a portion of the imageQuite similar to code 8, but with a different result

1234567891011121314

1516171819

How To Apply Special Effects To Your Images Using

PHP

In Category: Programming, Scripting, PHP, Web Development, Web Languages &Standards, PHP,

Written By: hightilidie on March 29, 2011 @ 6:51:04 AM

Article Grade Average:

Article Views: 51509

Share & Bookmark| | Articles RSS Feed | Email | Print | Grade Article

To send a link of this page to a friend just put their email address and your email

address into the form below.

Your Email Address:

Friends Email Address:
http://www.phptutorial.info/index.php?imagecreatefrompnghttp://www.phptutorial.info/index.php?imagecreatehttp://www.phptutorial.info/index.php?imagecolorallocatehttp://www.phptutorial.info/index.php?imagecopyresizedhttp://www.phptutorial.info/index.php?imagepnghttp://www.phptutorial.info/index.php?imagedestroyhttp://www.phptutorial.info/index.php?printhttp://www.pubpixel.com/categories/computers-and-programming/programminghttp://www.pubpixel.com/categories/computers-and-programming/programminghttp://www.pubpixel.com/categories/computers-and-programming/programming/languages/scriptinghttp://www.pubpixel.com/categories/computers-and-programming/programming/languages/scriptinghttp://www.pubpixel.com/categories/computers-and-programming/programming/languages/scripting/phphttp://www.pubpixel.com/categories/computers-and-programming/programming/languages/scripting/phphttp://www.pubpixel.com/categories/computers-and-programming/web-developmenthttp://www.pubpixel.com/categories/computers-and-programming/web-development/web-languages-and-standardshttp://www.pubpixel.com/categories/computers-and-programming/web-development/web-languages-and-standardshttp://www.pubpixel.com/categories/computers-and-programming/web-development/web-languages-and-standards/phphttp://www.pubpixel.com/profile/2http://www.addthis.com/bookmark.php?v=250&username=pubpixelhttp://www.addthis.com/bookmark.php?v=250&username=pubpixelhttp://www.pubpixel.com/feeds/articles/rss/12http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php#%23http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php/css-printhttp://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php#%23http://www.phptutorial.info/index.php?imagecreatefrompnghttp://www.phptutorial.info/index.php?imagecreatehttp://www.phptutorial.info/index.php?imagecolorallocatehttp://www.phptutorial.info/index.php?imagecopyresizedhttp://www.phptutorial.info/index.php?imagepnghttp://www.phptutorial.info/index.php?imagedestroyhttp://www.phptutorial.info/index.php?printhttp://www.pubpixel.com/categories/computers-and-programming/programminghttp://www.pubpixel.com/categories/computers-and-programming/programming/languages/scriptinghttp://www.pubpixel.com/categories/computers-and-programming/programming/languages/scripting/phphttp://www.pubpixel.com/categories/computers-and-programming/web-developmenthttp://www.pubpixel.com/categories/computers-and-programming/web-development/web-languages-and-standardshttp://www.pubpixel.com/categories/computers-and-programming/web-development/web-languages-and-standardshttp://www.pubpixel.com/categories/computers-and-programming/web-development/web-languages-and-standards/phphttp://www.pubpixel.com/profile/2http://www.addthis.com/bookmark.php?v=250&username=pubpixelhttp://www.pubpixel.com/feeds/articles/rss/12http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php#%23http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php/css-printhttp://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php#%23


2/45

Optional Message:

Send Message Cancel

Grade

Meaning

o 1o 2

o 3

o 4

o 5

o 6

o 7

o 8

o 9

o 10

o 11

o 12o 13

o 14

o 15

Grade meanings chart.

Grade Chart

Grade

Meaning

Points

A+

Exceptional
http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php#%23http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://void%280%29/http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php#%23


3/45

15

A

Excellent

14

A-

Outstanding

13

B+

Praiseworthy

12

B

Notable

11

B-

Great

10

C+

Better

9

C

Very Good

8

C-


4/45

Good

7

D+

Acceptable

6

D

Fair

5

D-

Passable

4

F+

Inadequate

3

F

Poor

2

F-

Very Poor

1

Text Size | Bold Text

Undo Bold Text:N Bold Text: B

Default Text Size:N Decrease Text Size:Increase Text Size: +
http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php#%23http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php#%23http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php/w-0http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php/w-0http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php/w-1http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php/nsize-100http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php/msize-100http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php/msize-100http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php/msize-100http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php/isize-100http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php#%23http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php#%23http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php/w-0http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php/w-1http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php/nsize-100http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php/msize-100http://www.pubpixel.com/article/12/how-to-apply-special-effects-to-your-images-using-php/isize-100


5/45

Now in-order to apply special effects to an image or in other words a filter to an imageusing PHP you will need to use PHP's imagefilter() function, which was introduced to usin PHP 5. You should also take note that the imagefilter() function is only available ifPHP is compiled with the bundled version of the GD library. The GD library is basicallyused for dynamic image creation. The GD library is an open source code library for the

dynamic creation of images by programmers. The Letters GD originally stood for "GIFDraw". But, since Unisys revoked the royalty-free license, it has informally stood for"Graphics Draw", alright that's enough info about the GD library.

The imagefilter() function applies a given filter type to an image. When the imagefilter()function successfully applies a filter to an image it will return TRUE on success orFALSE on failure. You won't be able to see anything unless you echo the result of theimagefilter() function, at which point the boolean value will be converted to a string, andthen will read true or false. The imagefilter() function has six parameters each of whichthat do very different things.

Now let me list and explain the imagefilter() functions six parameters below:

imageThe image parameter states an image resource, that is returned by one of theimage creation functions, such as the imagecreatefromgif(),imagecreatetruecolor() or the imagecreatefromjpeg() to name a few.

Here is how to code the image parameter for the imagefilter() function below.

filtertypeThe filtertype parameter can be one of twelve filter type values also known asconstants. The filtertype parameters values are all in uppercase and are case-sensitive by default. You should also be aware that some filtertype parametervalues may also need additional parameters which will very for each filtertype


6/45

parameter value. If this sounds confusing it will all make sense by the end of thistutorial.

The first filtertype parameter value is the IMG_FILTER_NEGATE whichreverses all the colors in the image. Also known as a negative image, which

means the red areas in the image appear cyan, green areas in the image appearmagenta and the blue areas appear yellow.

The second filtertype parameter value is the IMG_FILTER_GRAYSCALEwhich will convert the image into grayscale. Which basically means that theimages colors are made up of only shades of gray.

The third value for the filtertype parameter is theIMG_FILTER_BRIGHTNESS which will change the brightness of the image.You will also need to include a third parameter to set the level of brightness,which can range from any number between -255 and 255. The numbers representhow much you want to brighten or darken the image. The number 255 will set theimage to full white, which is the brightest value possible, and the number -255will set the image to full black, which is the darkest value possible, and if youchoose to set the parameters value to the number 0 the image will be unchanged. Iwill show you how to add the third parameter later on this tutorial.

The fourth filtertype parameter value is the IMG_FILTER_CONTRAST whichwill change the contrast of the image. You will also need to include a thirdparameter that can have a number value that can range from any number between-255 and 255, which will adjust the contrast level of the image. When using

positive number values for the third parameter, will bring the images colors closertogether by mixing them with the color gray, you should take note that yourimage will be fully gray at about 100. And when using lower number values forthe third parameter, will increase the contrast of the image, essentially reducingthe number of colors so that they are more separate and obvious to the eye. And ifyou choose to set the parameters value to the number 0 the image will beunchanged. I will show you how to add the third parameter later on this tutorial.

Now the fifth value for the filtertype parameter is theIMG_FILTER_COLORIZE which will add or subtract the RGB colors red,green or blue from every pixel of the image. You will need to include three

additional parameters that can have a number value that can range from anynumber between -255 and 255. The first parameters value controls the color red,for example, setting the first parameters value to 255 will add the color red toevery pixel. The second parameter controls the color green, if you set the secondparameter value to 255 every pixel will have the color green added to it. And thethird parameters value controls the color blue, for instance, if you set the thirdparameters value to -255 it will take all the blue out of all the pixels in the image.


7/45

When using the IMG_FILTER_COLORIZE all the three additional parametersare needed, for instance if you just want to control the second parameter for thecolor green and don't want to change the other colors parameter values all youhave to do is give the first and third parameters the number 0 to leave the imagesred and blue colors unchanged.

An Important thing to remember is that the IMG_FILTER_COLORIZE alsohas a fourth parameter that you can use if you want to control the alpha channel. Iwill explain this parameter in more detail later on in this tutorial.

The sixth value for the filtertype parameter is theIMG_FILTER_EDGEDETECT which uses edge detection to highlight theedges in the image and set the other areas to gray.

The seventh value for the filtertype parameter is the IMG_FILTER_EMBOSSwhich embosses the image and sets the other areas to gray.

The eighth value for the filtertype parameter is theIMG_FILTER_GAUSSIAN_BLURwhich blurs the image using the Gaussianblur method.

Now the ninth value for the filtertype parameter is theIMG_FILTER_SELECTIVE_BLURwhich is a generic blur function that blursthe image.

The tenth value for the filtertype parameter is theIMG_FILTER_MEAN_REMOVAL which uses the mean removal to achieve a"sketchy" like effect.

The eleventh value for the filtertype parameter is the IMG_FILTER_SMOOTHwhich will make the image smoother. You will need to include one additionalparameter that really doesn't specify how much the image should be smoothed,but instead it indicates how much weighting is needed for an image manipulationmatrix. So in other words the parameters value applies the weight to the centerpixel of the image. Another way of putting it is that theIMG_FILTER_SMOOTH basically applies a 9-cell convolution matrix where

the center pixel out of the 9 pixels has the weight specified by the additionalparameter. The additional parameter can have a value that can be any positive(13) or negative (-13) number, you may even use float numbers (13.2).

In practice when the additional parameters value is set between -6 to -8 you willget some interesting effects. When the value is set at 10 the image is aboutnormal, but the result will not be that visible, this is because the original pixelvalues have more weight than the total combined sum of its neighboring pixels.


8/45

It's suggested that the additional parameters value should not be outside the rangeof -8 to 8, because the result will not be completely visible.

Now the twelfth value for the filtertype parameter is theIMG_FILTER_PIXELATE which was added to PHP in version 5.3.0. The

IMG_FILTER_PIXELATE value applies a pixelation effect to the image. Youwill need to include two additional parameters as well. The first parameters valuecan be any positive number, which will state the block size in pixels. And thesecond parameter doesn't have to be included but if included the value can be anyboolean value you choose, for example, true or false or 0 for false or 1 for true,which sets the pixelation effect mode. The default value for the second parametereven when the parameter is not included is false.

Now here is how to code the filtertype parameter using theIMG_FILTER_EDGEDETECT value for the imagefilter() function below.

arg1The arg1 parameter is short for argument1 and it can be used with the followingfiltertype parameter values which are IMG_FILTER_BRIGHTNESS,IMG_FILTER_CONTRAST, IMG_FILTER_COLORIZE,IMG_FILTER_SMOOTH and IMG_FILTER_PIXELATE. I will explainhow to use the arg1 parameter with each of the allowed filtertype parametervalues below.

When the arg1 parameter is used with the filtertype parameter valueIMG_FILTER_BRIGHTNESS. The arg1 parameters value will set the level ofbrightness of the image. The arg1 parameters value can be any number between-255 and 255, the number 255 will set the image to full white, and the negativenumber -255 will set the image to full black. The number 0 will leave the imageunchanged.


9/45

Now when the arg1 parameter is used with the filtertype parameter valueIMG_FILTER_CONTRAST. The arg1 parameters value will adjust the contrastlevel of the image. The arg1 parameters value can be any number between -255and 255, positive number values for the arg1 parameter will bring the imagescolors closer together, and lower number values for the arg1 parameter will

increase the contrast of the image, which reduces the number of colors so thatthey are more separate and obvious to the eye. The number 0 will leave the imageunchanged.

Now when the arg1 parameter is used with the filtertype parameter valueIMG_FILTER_COLORIZE. The arg1 parameters value will control the colorred in the image. The arg1 parameters value can be any number between -255 and255, positive number values will increase the amount of the color red in the imageand negative number values will decrease the amount of red in the image. Thenumber 0 will leave the image unchanged.

When the arg1 parameter is used with the filtertype parameter valueIMG_FILTER_SMOOTH. The arg1 parameters value really won't actuallyspecify how much the image should be smoothed, but instead will indicate howmuch weighting is needed for an image manipulation matrix. The arg1 parametercan have a value that can be any positive (13) or negative (-13) number, you mayeven use float numbers (13.2) as well. When the arg1 parameter has a valuebetween -6 to -8 you will get some interesting effects applied to your image. It'sbeen suggested that the arg1 parameters value should not be outside the range of-8 to 8, because the result will not be completely visible. The image is aboutnormal at 10, because the original pixel values have more weight than the totalcombined sum of its neighboring pixels.

When the arg1 parameter is used with the filtertype parameter valueIMG_FILTER_PIXELATE. The arg1 parameters value can be any positivenumber, which will state the block size in pixels.

Here is how to code the arg1 parameter for the filtertype parameter valueIMG_FILTER_CONTRAST for the imagefilter() function below.


10/45

?>

arg2The arg2 parameter is short for argument2 and it can be used with the followingfiltertype parameter values IMG_FILTER_COLORIZE andIMG_FILTER_PIXELATE. I will explain how to use the arg2 parameter witheach of the allowed filtertype parameter values below.

Now when the arg2 parameter is used with the filtertype parameter valueIMG_FILTER_COLORIZE, the arg2 parameters value will control the colorgreen in the image. The arg2 parameters value can be any number between -255and 255, positive number values will increase the amount of the color green in the

image and negative number values will decrease the amount of green in theimage. The number 0 will leave the image unchanged.

When the arg2 parameter is used with the filtertype parameter valueIMG_FILTER_PIXELATE, the arg2 parameters value can be any booleanvalue you choose which can be true, false or 0 for false and 1 for true, which setsthe pixelation effect mode. You should be aware that the arg2 parameter doesn'thave to be included. The default value for the arg2 parameter even when the arg2parameter is not included is false.

Here is how to code the arg2 parameter for the filtertype parameter valueIMG_FILTER_PIXELATE for the imagefilter() function below.

arg3


11/45

Now the arg3 parameter is short for argument3 and it can be used with thefollowing filtertype parameter value IMG_FILTER_COLORIZE.

Now when the arg3 parameter is used with the filtertype parameter valueIMG_FILTER_COLORIZE, the arg3 parameters value will control the color

blue in the image. The arg3 parameters value can be any number between -255and 255, positive number values will increase the amount of the color blue in theimage and negative number values will decrease the amount of blue in the image.The number 0 will leave the image unchanged.

Here is how to code the arg3 parameter for the filtertype parameter valueIMG_FILTER_COLORIZE for the imagefilter() function below.

arg4And the last parameter is the arg4 parameter which is short for argument4 and itcan be used with the following filtertype parameter valueIMG_FILTER_COLORIZE.

Now when the arg4 parameter is used with the filtertype parameter valueIMG_FILTER_COLORIZE, the arg4 parameters value will control the alphachannel. So basically the alpha channel controls the transparency of all the otherchannels, which are the RGB values specified in the arg1, arg2 and arg3parameters. By adding the alpha channel to the image by including the arg4

parameter you control the transparency of the red channel, green channel and theblue channel. The arg4 parameter can have any number value from 0 to 127. Thevalue 0 will indicate completely opaque while the value 127 indicates completelytransparent.

Here is how to code the arg4 parameter for the filtertype parameter valueIMG_FILTER_COLORIZE for the imagefilter() function below.


12/45

Now that you know more about the imagefilter() function and its parameters let me showyou how to code each filtertype parameter value as well as show you how each filtertype

parameter value affects your images.

Now here is how to code the filtertype parameter using the IMG_FILTER_NEGATEvalue for the imagefilter() function below.

The above code will display the following image below on the right, the image on the leftis the original image for you to compare with the filtered image on the right that PHPgenerated using the filtertype parameter value IMG_FILTER_NEGATE for theimagefilter() function.


13/45

Now here is how to code the filtertype parameter using theIMG_FILTER_GRAYSCALE value for the imagefilter() function below.


14/45

?>

The above code will display the following image below on the right, the image on the leftis the original image for you to compare with the filtered image on the right that PHP

generated using the filtertype parameter value IMG_FILTER_GRAYSCALE for theimagefilter() function.

Now here is how to code the filtertype parameter using theIMG_FILTER_BRIGHTNESS value for the imagefilter() function below.


15/45

$image = imagecreatefromjpeg('sun.jpg');

imagefilter($image, IMG_FILTER_BRIGHTNESS, 120);

imagejpeg($image, 'brightness-sun.jpg');

imagedestroy($image);

echo '';

?>

The above code will display the following image below on the right, the image on the leftis the original image for you to compare with the filtered image on the right that PHPgenerated using the filtertype parameter value IMG_FILTER_BRIGHTNESS for theimagefilter() function.


16/45

Now here is how to code the filtertype parameter using theIMG_FILTER_CONTRAST value for the imagefilter() function below.


17/45

echo '';

?>

The above code will display the following image below on the right, the image on the leftis the original image for you to compare with the filtered image on the right that PHPgenerated using the filtertype parameter value IMG_FILTER_CONTRAST for theimagefilter() function.

Now here is how to code the filtertype parameter using the IMG_FILTER_COLORIZEvalue for the imagefilter() function below.


18/45

The above code will display the following image below on the right, the image on the leftis the original image for you to compare with the filtered image on the right that PHPgenerated using the filtertype parameter value IMG_FILTER_COLORIZE for theimagefilter() function.


19/45

Now here is how to code the filtertype parameter using theIMG_FILTER_EDGEDETECT value for the imagefilter() function below.


20/45

echo '';

?>

The above code will display the following image below on the right, the image on the leftis the original image for you to compare with the filtered image on the right that PHPgenerated using the filtertype parameter value IMG_FILTER_EDGEDETECT for theimagefilter() function.

Now here is how to code the filtertype parameter using the IMG_FILTER_EMBOSSvalue for the imagefilter() function below.


21/45

The above code will display the following image below on the right, the image on the leftis the original image for you to compare with the filtered image on the right that PHPgenerated using the filtertype parameter value IMG_FILTER_EMBOSS for theimagefilter() function.


22/45

Now here is how to code the filtertype parameter using theIMG_FILTER_GAUSSIAN_BLURvalue for the imagefilter() function below.


23/45

echo '';

?>

The above code will display the following image below on the right, the image on the leftis the original image for you to compare with the filtered image on the right that PHPgenerated using the filtertype parameter value IMG_FILTER_GAUSSIAN_BLURforthe imagefilter() function.

Now here is how to code the filtertype parameter using theIMG_FILTER_SELECTIVE_BLURvalue for the imagefilter() function below.


24/45

The above code will display the following image below on the right, the image on the leftis the original image for you to compare with the filtered image on the right that PHPgenerated using the filtertype parameter value IMG_FILTER_SELECTIVE_BLURforthe imagefilter() function.


25/45

Now here is how to code the filtertype parameter using theIMG_FILTER_MEAN_REMOVAL value for the imagefilter() function below.


26/45

echo '';

?>

The above code will display the following image below on the right, the image on the leftis the original image for you to compare with the filtered image on the right that PHPgenerated using the filtertype parameter value IMG_FILTER_MEAN_REMOVAL forthe imagefilter() function.

Now here is how to code the filtertype parameter using the IMG_FILTER_SMOOTHvalue for the imagefilter() function below.


27/45

The above code will display the following image below on the right, the image on the leftis the original image for you to compare with the filtered image on the right that PHPgenerated using the filtertype parameter value IMG_FILTER_SMOOTH for theimagefilter() function.


28/45

Now here is how to code the filtertype parameter using the IMG_FILTER_PIXELATEvalue for the imagefilter() function below.


29/45

echo '';

?>

The above code will display the following image below on the right, the image on the leftis the original image for you to compare with the filtered image on the right that PHPgenerated using the filtertype parameter value IMG_FILTER_PIXELATE for theimagefilter() function.

If you need more information about the imagefilter() function check out the PHP manualat http://www.php.net/manual/en/function.imagefilter.php
http://www.php.net/manual/en/function.imagefilter.phphttp://www.php.net/manual/en/function.imagefilter.php


30/45

Hiding PHP

In general, security by obscurity is one of the weakest forms of security. But in somecases, every little bit of extra security is desirable.

A few simple techniques can help to hide PHP, possibly slowing down an attacker who isattempting to discover weaknesses in your system. By setting expose_php to offin yourphp.ini file, you reduce the amount of information available to them.

Another tactic is to configure web servers such as apache to parse different filetypesthrough PHP, either with an .htaccess directive, or in the apache configuration file itself.You can then use misleading file extensions:

Example #3 Hiding PHP as another language

# Make PHP code look like other code types

AddType application/x-httpd-php .asp .py .plOr obscure it completely:

Example #4 Using unknown types for PHP extensions

# Make PHP code look like unknown typesAddType application/x-httpd-php .bop .foo .133t

Or hide it as HTML code, which has a slight performance hit because all HTML will beparsed through the PHP engine:

Example #5 Using HTML types for PHP extensions

# Make all PHP code look like HTMLAddType application/x-httpd-php .htm .html

For this to work effectively, you must rename your PHP files with the above extensions.While it is a form of security through obscurity, it's a minor preventative measure withfew drawbacks.

PHP Secure Login Tips And TricksPosted on October 6 by Clay

7diggsdigg

Every website on the internet faces a similar threat, hackers. Every single website can bea target of a hacker if security measures arent implemented properly especially when itcomes to login pages where our most sensitive data are being held. Hence, there is a needto better understand how well your login page has been implemented to be considered asreally secure. In this article, you will get a list of PHP secure login tips and tricks that willdefinitely help you decide on your secure rating of your login page.
http://hungred.com/useful-information/php-secure-login-tips-and-tricks/http://hungred.com/author/Clay/http://hungred.com/useful-information/php-secure-login-tips-and-tricks/http://hungred.com/author/Clay/


31/45

Length Of your username and password

Both your username and password should be at least 6-8 characters long. A longercombination of username or password will make brute force attack or any other passwordcracking algorithm longer to crack. This can really help your network administrator to

detect an attack before the attack penetrates through your login page.

Encrypt your password

We all know that encryption is necessary in term of any password. But i would still liketo stress such importance. We are very dependent on encryption algorithms such as MD5or SHA-1. However, these two algorithms are no longer that secure as compared to theolder days. On Wednesday, February 16, 2005SHA-1 has been broken by three chinaresearchers. Although it is more towards collision attack rather than pre-image one wecan assure one thing is that SHA-1 can be broken. You can read more about it on Bruce

Schneierarticle. On the other hand, you can find MANY MD5 cracker online nowadaysthrough Google. eg. md5crack.com. But similarly they are all collision attacks. Wikiexplains MD5 vulnerability in a way you will be discouraged from using it. It is time toencrypt your users password using SHA-2 such as sha256, sha384, sha512 or better. Ifyou are using PHP 5.12 or above, there is a new function, hash that supports SHA-2.

$phrase = 'This is my password';$sha1a = base64_encode(sha1($phrase));$sha1b = hash(sha1,$phrase);$sha256= hash(sha256,$phrase);$sha384= hash(sha384,$phrase);$sha512= hash(sha512,$phrase);

For people who are using PHP 5.12 and below, you can try to use mhashwhich is anopen source class for PHP.

$phrase = 'This is my password';$sha1a = base64_encode(sha1($phrase));$sha1b = base64_encode(bin2hex(mhash(MHASH_SHA1,$phrase)));$sha256= base64_encode(bin2hex(mhash(MHASH_SHA256,$phrase)));$sha384= base64_encode(bin2hex(mhash(MHASH_SHA384,$phrase)));$sha512= base64_encode(bin2hex(mhash(MHASH_SHA512,$phrase)));

SHA-2 should be used to secure your future application. Although MD5 and SHA-1 canstill be used for authentication purposes with a very secure password combination. eg.(eQ@xC#Eif2dsa!e2cX2?}23{D@.

NOTE**: NEVER DOUBLE HASH!

Double hashing is *worse* security than a regular hash. What youre actually doing istaking some input $passwd, converting it to a string of exactly 32 characters containingonly the characters [0-9][A-F], and then hashing *that*. You have just *greatly*
http://en.wikinews.org/wiki/Chinese_researchers_crack_major_U.S._government_algorithm_used_in_digital_signatureshttp://en.wikinews.org/wiki/Chinese_researchers_crack_major_U.S._government_algorithm_used_in_digital_signatureshttp://en.wikinews.org/wiki/Chinese_researchers_crack_major_U.S._government_algorithm_used_in_digital_signatureshttp://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.htmlhttp://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.htmlhttp://md5crack.com/http://en.wikipedia.org/wiki/MD5#Vulnerabilityhttp://mhash.sourceforge.net/http://mhash.sourceforge.net/http://en.wikinews.org/wiki/Chinese_researchers_crack_major_U.S._government_algorithm_used_in_digital_signatureshttp://en.wikinews.org/wiki/Chinese_researchers_crack_major_U.S._government_algorithm_used_in_digital_signatureshttp://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.htmlhttp://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.htmlhttp://md5crack.com/http://en.wikipedia.org/wiki/MD5#Vulnerabilityhttp://mhash.sourceforge.net/


32/45

increased the odds of a hash collision (ie. the odds that I can guess a phrase that will hashto the same value as your password).

sha1(md5($pass)) makes even less sense, since youre feeding in 128-bits of informationto generate a 256-bit hash, so 50% of the resulting data is redundant. You have not

increased security at all.

Credit goes to Ghogilee

****updated on 8 Oct 09

On the note of Ghogilee, i found a few errors which i would like to point out. Doublehashing here is referring to two different hash function. It does reduce the search spacebut doesnt *greatly* increased the odds of a hash collision. On the other hand, SHA-1should be a 160-bit hash not 256-bit and not only does this doesnt increased the securitybut also weaken the hash function as the hacker will only required to crack the weaker

hash function in this case md5.

You may want to visit Better Hashing Password in PHPfor more information. If youwish to understand the risk and stuff you can do with hash function, please visit EnhanceSecurity Hash Function For Web Development. Here i document the most detail hashfunction i could for your information.

Enhance Hash With Salt

Once you have decide your secure password encryption algorithm, the last thing youmight want is to have different user having the same encryption algorithm hash code.

This can bring another problem of more than one account being compromised at the sametime when there are multiple same hash and short password can easily be cracked withease when your database and tables have been known. We can generate a salt in order toovercome this problem so that the string is longer and more random (providing that thesalt + password are random enough).

define('SALT_LENGTH', 15);function HashMe($phrase, &$salt = null){$key = '!@#$%^&*()_+=-{}][;";/?.,';

if ($salt == ''){

$salt = substr(hash('sha512',uniqid(rand(), true).$key.microtime()), 0, SALT_LENGTH);

}else{

$salt = substr($salt, 0, SALT_LENGTH);}return hash('sha512',$salt . $key . $phrase).$salt;

}
http://hungred.com/useful-information/php-better-hashing-password/http://hungred.com/useful-information/php-better-hashing-password/http://hungred.com/useful-information/enhance-security-hash-function-web-development/http://hungred.com/useful-information/enhance-security-hash-function-web-development/http://hungred.com/useful-information/enhance-security-hash-function-web-development/http://hungred.com/useful-information/php-better-hashing-password/http://hungred.com/useful-information/enhance-security-hash-function-web-development/http://hungred.com/useful-information/enhance-security-hash-function-web-development/


33/45

The above function contains two parameters. The first will take in a phrase and generate aSHA-2 salt if the second parameter is placed with an empty variable. However, if bothparameters contain values, it will be used when you wish to compare between twohashes. We can use the above method this way,

$username = cleanMe($_POST('username'));$password = cleanMe($_POST('password'));$salt = '';$hashed_password = HashMe($password, $salt);$sqlquery = 'INSERT INTO ùsertable` ("username", "password", "salt")VALUES ("'.$username.'", "'.$hashed_password .'", "'.$salt.'")WHERE 1';..

The above will insert the information into the table when user is being created. We willcheck the user with the following salt.

$username = cleanMe($_POST('username'));

$password = cleanMe($_POST('password'));$salt = '';$sqlquery = 'SELECT `salt`, `password` FROM ùsertable` WHEREùsername` = "'.$username.'" limit 1';..#we get the data here and placed into variable $row$salt = $row['salt'];$hashed_password = HashMe($password, $salt);if($hashed_password == $row['password']){#verified}else{#ACCESS DENIAL}..

The objective of salt is to lengthen the password in the table and also create a totallyrandom hash code for each password. Hence, even if your table is being compromised, itwill really take a lot of time for them to crack those hashed password. (We are assuminglogin page already implemented protection against multiple false log in)

Do not use easy guess username for administrators

It is always wise to use a slightly more challenging username for any administrators on

your system. Username like admin, root or super will surely be the one on thehacker list to determine any administrator username. Be smart! Use something morechallenging such as iamtheking as a username instead (if your login system is caseinsensitive).

Log user login attempt


34/45

It is actually wise to log every important event in a system. Definitely, login page is oneof them. We can determine whether any attempt of attack on our system is being carryout with a proper logging system. The log file or table can be very useful to track backwhat had gone wrong during a specific time frame when an attack occurs to determinewhether an attack was launched to determine whether the login page was compromised.

Handle Error

It is important to prevent any error from being displayed to malicious users. Theseinformation is very useful for them to determine how to break into your system. Hence,they will try any type of value in order to break your PHP functions. Therefore, anampersat symbol (@) should be placed in front of any function to prevent an error fromoccuring. On the other hand, you can use the function mention on Solutions to SQLInjection Attackwhich uses die to generate a better SQL error message that can be bothprofessional and at the same time log your errors. The function is shown below,

function sql_failure_handler($query, $error) {$msg = htmlspecialchars('Failed Query: {$query}
SQL Error:

{$error}');error_log($msg, 3, '/home/site/logs/sql_error_log');if (defined(debug)) {

return $msg;}return 'An error occurs, please try again later.';

}#query=test;DELETE FOM breakplease;$query = 'SELECT * FROM user WHERE name ='.base64_decode($_GET['query']);mysql_query('$query) or die(sql_failure_handler($query, mysql_error()));

Always filter user input

Remember on the articles Solutions to SQL Injection Attackand Solutions to Cross-SiteScripting (XSS) Attackwhich mention that filtering user input is very important ashackers will use any way to break your login system. The rule is to never TRUST youruser input until every last verification gets through. You can use the following function inPHP for your filter assistance,

htmlentities()strip_tags ()

utf8_decode ()htmlspecialchars()ctype_digit()ctype_alnum()stripslashes()str_replace()

Be Innovative Not Informative
http://hungred.com/useful-information/solutions-sql-injection-attack/http://hungred.com/useful-information/solutions-sql-injection-attack/http://hungred.com/useful-information/solutions-sql-injection-attack/http://hungred.com/web-development/solutions-crosssite-scripting-xss-attack/http://hungred.com/web-development/solutions-crosssite-scripting-xss-attack/http://hungred.com/useful-information/solutions-sql-injection-attack/http://hungred.com/useful-information/solutions-sql-injection-attack/http://hungred.com/useful-information/solutions-sql-injection-attack/http://hungred.com/web-development/solutions-crosssite-scripting-xss-attack/http://hungred.com/web-development/solutions-crosssite-scripting-xss-attack/


35/45

We must be innovative on the message we present to our users whenever an error or loginfail occurs. Message such as invalid password or invalid username is bad practicesthat gives information to malicious user what they went wrong. Instead, providessomething like Login Fail. Please try again will be a much more appropriate approach.

USE LIMIT or WHERE 1

In SQL query, for any login attempt, always place a LIMIT 1 at the end of your SQLstatement. If there is a chance where a successful SQL injection is performed, only oneaccount is being compromised instead of all. On the other hand, using WHERE 1 canhelp prevent any additional SQL query from placing at the front of your where clause.

Check HTTP Referrer

The basic of every security check is to ensure that the HTTP referrer came from the form

on your site. If the HTTP referrer is suspicious, reject the request immediately. Although,HTTP Referrer can be easily spoofed with JavaScript it is always good to have any formof protection on a login page. However, some firewalls or proxies strip this informationout which will caused many of your users to be unable to login successfully. Hence, youmight want to consider whether to implement such checking for your login system.

Nonce authentication

Another better way of authenticating than checking the HTTP Referrer is to useacryptographic nonce. A nonce is a number used once, and it is used for intentionverification purposes. Think of it as a password for THAT particular form and only can

be used once. It really depends on how you implement your Nonce between the client andserver.

Use maxlength

It is definitely a great idea to only allow a maximum length of characters user can placedon an input box. This is like a restriction placing in front of malicious user to provoketheir creativity in order to penetrate your system. However, you might not like this ideatoo as it minimize the number of combination for hackers to crack your login page.Personally i will place such restriction as my login page will never allow more than

certain fail login.

$_POST ONLY

When dealing with any form data. The only answer is using $_POST. NO $_REQUESTor $_GET should be use as you are just making life easier for hacker and weaken yoursecurity. Although $_POST can still be used by hacker but it makes the job troublesome.
http://en.wikipedia.org/wiki/Cryptographic_noncehttp://en.wikipedia.org/wiki/Cryptographic_nonce


36/45

Sub String Not Trim

In a login page, it is best to secure ourselves. Hence, if a user made an error on theirusername or password, the system should not correct for them. If a user enters ausername with leading or trailing space we are not going to trim it nicely for them before

we check. On the other hand, we will sub string it out so that we are checking themaximum length that is being enforce on the text box.

MYSQL Accounts

It is important for any secure website to be cautious on the access given to MYSQL useraccount on the specific action. For login purposes, the only thing that the user allows todo is to retrieve data from MYSQL table. Hence, other actions such as delete, update,alter etc. should not be given to the login page. If a successful SQL Injection waslaunched on the site. Imagine the user updating your user account password to the one

given. Our security measure will just kick us back to one. Hence, always be cautious onthe access given to MYSQL user account.

Utilize IP

Always ensure that IP address is used together with session key after a user has loggedinto your portal. This can prevent Session attacks and at the same time ensure that thesame person is viewing the content of your secure page. You can also use IP to bancertain users from trying to guess your login username or password upon certain tries.However, using IP may mean certain restrictions for certain companies or proxy usersfrom accessing your website. Nonetheless, this can be solved by detecting their

connection. You can use this script to detect whether they are behind proxy server

if ($_SERVER['HTTP_X_FORWARDED_FOR']

|| $_SERVER['HTTP_X_FORWARDED']|| $_SERVER['HTTP_FORWARDED_FOR']|| $_SERVER['HTTP_VIA']|| in_array($_SERVER['REMOTE_PORT'],

array(8080,80,6588,8000,3128,553,554))|| @fsockopen($_SERVER['REMOTE_ADDR'], 80, $errno, $errstr, 30))

{exit('Proxy detected');

}

The above code should allows you to detect even anonymous proxy server.

*****Update 7 Oct 2009

I forgot to mention here that the above script will only be necessary if an IP addresscannot be detected (Thanks Julius).
http://hungred.com/useful-information/solutions-session-attacks/http://hungred.com/useful-information/solutions-session-attacks/


37/45

Utilize Cookies

I forgot to mention this important thing to you guys. There is also a need to tie cookietogether with session and/or ip to prevent session hijack or cross-site request forgery(CSRF). The hacker might be able to hijack your session through different ways but

cookies will still remind on your user client browser.

Cookies can also used for auto logout module by setting the expiry date of the cookieafter 15 minutes and if the cookie doesnt exist, the user has been idle for 15 minutes. Onthe other hand, we can refresh this cookie every user activity. This is one of the manyways to implement auto logout functionality but this is not secure as the cookie can bestolen by hacker and prolong the duration of the cookie expiration time.

Lastly, we talk about locking user upon certain attempts but IP was difficult to be used.This can be solve by utilize cookie to set the number of tries performed by theuser/browser. Using cookie is definitely insecure way of keeping track of user attempts

but it also creates additional barriers for hackers to overcome. This should be usedtogether with account lock functionality to prevent such weakness in your defense (thismeans cookie count and account attempts count should not be link together).

Auto Logged Out Mechanism

I forgot this one but one of the readers did not. Implementing an auto logged outmechanism onto your login system can really help prevent CSRF attacks. Since we cantcontrol whether our user leave their account logged in while browsing or surfing the net,we can definitely cover their butt but having this mechanism up to prevent any CSRF or

Session attacks. Since both attacks require the user to be logged in.

*****Update End

Lock upon certain fail attempt

This is something that most secure web pages should looked upon. A very good way oflocking a user will be as follow,

1. n times fail attempt locked m minutes2. n fail attempt due to 1. locked further m+30 minutes

3. n fail attempt due to 2. locked for the whole day

An example will be as follows:

3 times fail attempt locked 10 minutes 3 fail attempt due to 3 times fail attempt locked 10 minutes subsequence locked

10+30 minutes 3 fail attempt due to the above will result in whole day lock


38/45

You can lock a user based on IP or accounts. It will be better to lock them based onaccounts IF proxy IP is unable to detect due to the fact that it is an anonymous proxy. IPshould be used otherwise. This will prevent the user from guessing the correct username.On the other hand, if a username was guessed correct the same process can be appliedand disabled the account by sending an email to the original author to reactive it. But the

same message should be used. (not informative information!) If you are worry ofblocking an entire proxy server or company employees, you can just go by account sincebreaking an account will required certain tries anyway.

SSL Encryption

No matter what you do on the above, without a secure line from the client to your servereverything will be meaningless when it comes to packet sniffer which is also known asman in the middle attack. Especially for attacks such as Session Hijack. Password can besend directly into a hacker computer without the need to use brute force. The abovementioned methods definitely can stop newbies but not those that know their stuff.

Without such encryption, getting your password wont be that difficult. Heres a videoshowing how easily it can be done without

SSLcryption.


39/45

Summary

Any kind of system can still be compromised but the time and effort to compromisedsuch system is another thing to be considered. The above mention methods are ways tomake life difficult for hackers so that they will give up on penetrating your system.

Hence, any little bit of security measure we can implement on our system is considered asa line of defense. There is never a bad thing by being paranoid in securing your websystem. A website is like a man on an open field ready to be shoot at anytime! Do yourwebsite a favor. Wear a helmet. (not condom)

Safe Password Hashing

This section explains the reasons behind using hashing functions to secure passwords, aswell as how to do so effectively.

1. Why should I hash passwords supplied by users of my application?2. Why are common hashing functions such as md5 and sha1 unsuitable for

passwords?3. How should I hash my passwords, if the common hash functions are not suitable?4. What is a salt?

Why should I hash passwords supplied by users of my application?

Password hashing is one of the most basic security considerations that must bemade when designing any application that accepts passwords from users. Withouthashing, any passwords that are stored in your application's database can be stolenif the database is compromised, and then immediately used to compromise notonly your application, but also the accounts of your users on other services, if theydo not use unique passwords.

By applying a hashing algorithm to your user's passwords before storing them inyour database, you make it implausible for any attacker to determine the originalpassword, while still being able to compare the resulting hash to the originalpassword in the future.

It is important to note, however, that hashing passwords only protects them frombeing compromised in your data store, but does not necessarily protect them frombeing intercepted by malicious code injected into your application itself.

Why are common hashing functions such as md5() and sha1() unsuitable for

passwords?

Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be veryfast and efficient. With modern techniques and computer equipment, it has
http://www.phpriot.com/manual/php/faq.passwords#faq.passwords.hashing%23faq.passwords.hashinghttp://www.phpriot.com/manual/php/faq.passwords#faq.passwords.fasthash%23faq.passwords.fasthashhttp://www.phpriot.com/manual/php/faq.passwords#faq.passwords.fasthash%23faq.passwords.fasthashhttp://www.phpriot.com/manual/php/faq.passwords#faq.passwords.bestpractice%23faq.passwords.bestpracticehttp://www.phpriot.com/manual/php/faq.passwords#faq.passwords.salt%23faq.passwords.salthttp://www.phpriot.com/manual/php/function.md5http://www.phpriot.com/manual/php/function.sha1http://www.phpriot.com/manual/php/faq.passwords#faq.passwords.hashing%23faq.passwords.hashinghttp://www.phpriot.com/manual/php/faq.passwords#faq.passwords.fasthash%23faq.passwords.fasthashhttp://www.phpriot.com/manual/php/faq.passwords#faq.passwords.fasthash%23faq.passwords.fasthashhttp://www.phpriot.com/manual/php/faq.passwords#faq.passwords.bestpractice%23faq.passwords.bestpracticehttp://www.phpriot.com/manual/php/faq.passwords#faq.passwords.salt%23faq.passwords.salthttp://www.phpriot.com/manual/php/function.md5http://www.phpriot.com/manual/php/function.sha1


40/45

become trivial to "brute force" the output of these algorithms, in order todetermine the original input.

Because of how quickly a modern computer can "reverse" these hashingalgorithms, many security professionals strongly suggest against their use for

password hashing.

How should I hash my passwords, if the common hash functions are not suitable?

When hashing passwords, the two most important considerations are thecomputational expense, and the salt. The more computationally expensive thehashing algorithm, the longer it will take to brute force its output.

There are two functions that are bundled with PHP that can perform hashing usinga specified algorithm.

The first hashing function is crypt(), which natively supports several hashingalgorithms. When using this function, you are guaranteed that the algorithm youselect is available, as PHP contains native implementations of each supportedalgorithm, in case one or more are not supported by your system.

The second hashing function is hash(), which supports many more algorithms andvariants than crypt(), but does not support some algorithms thatcrypt()does. TheHash extension is bundled with PHP, but can be disabled during compile-time, soit is not guaranteed to be available, while crypt() is, being in the PHP core.

The suggested algorithm to use when hashing passwords is Blowfish, as it is

significantly more computationally expensive than MD5 or SHA1, while stillbeing scalable.

What is a salt?

A cryptographic salt is data which is applied during the hashing process in orderto eliminate the possibility of the output being looked up in a list of pre-calculatedpairs of hashes and their input, known as a rainbow table.

In more simple terms, a salt is a bit of additional data which makes your hashessignificantly more difficult to crack. There are a number of services online which

provide extensive lists of pre-computed hashes, as well as the original input forthose hashes. The use of a salt makes it implausible or impossible to find theresulting hash in one of these lists.

Overview

In this tutorial create 3 files1. main_login.php2. checklogin.php
http://www.phpriot.com/manual/php/function.crypthttp://www.phpriot.com/manual/php/function.hashhttp://www.phpriot.com/manual/php/function.hashhttp://www.phpriot.com/manual/php/function.crypthttp://www.phpriot.com/manual/php/function.crypthttp://www.phpriot.com/manual/php/function.crypthttp://www.phpriot.com/manual/php/function.crypthttp://www.phpriot.com/manual/php/function.crypthttp://www.phpriot.com/manual/php/function.crypthttp://www.phpriot.com/manual/php/function.crypthttp://www.phpriot.com/manual/php/function.hashhttp://www.phpriot.com/manual/php/function.crypthttp://www.phpriot.com/manual/php/function.crypthttp://www.phpriot.com/manual/php/function.crypt


41/45

3. login_success.php

Step1. Create table "members" in database "test".2. Create file main_login.php.

3. Create file checklogin.php.4. Create file login_success.php.5. Create file logout.php

If you don't know how to create databse, click here

Create table "members"

CREATE TABLE `members` (ìd` int(4) NOT NULL auto_increment,ùsername` varchar(65) NOT NULL default '',`password` varchar(65) NOT NULL default '',

PRIMARY KEY (ìd`)) TYPE=MyISAM AUTO_INCREMENT=2 ;

---- Dumping data for table `members`--

INSERT INTO `members` VALUES (1, 'john', '1234');

Create file main_login.php

View In Browser

############### Code
http://www.phpeasystep.com/mysqlview.php?id=2http://www.phpeasystep.com/mysqlview.php?id=2


42/45

Member Login Username:

Password:

Create file checklogin.php

############### Code


43/45

mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form$myusername=$_POST['myusername'];

$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)$myusername = stripslashes($myusername);$mypassword = stripslashes($mypassword);$myusername = mysql_real_escape_string($myusername);$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' andpassword='$mypassword'";$result=mysql_query($sql);

// Mysql_num_row is counting table row$count=mysql_num_rows($result);// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){// Register $myusername, $mypassword and redirect to file "login_success.php"session_register("myusername");session_register("mypassword");header("location:login_success.php");}

else {echo "Wrong Username or Password";}?>

Create file login_success.php

############### Code

// Check if session is not registered , redirect back to main page.// Put this code in first line of web page.
http://us.php.net/mysql_real_escape_stringhttp://us.php.net/mysql_real_escape_string


44/45

Login Successful

Logout.phpIf you want to logout, create this file

// Put this code in first line of web page.

For PHP5 User - checklogin.php

############### Code


45/45

// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){// Register $myusername, $mypassword and redirect to file "login_success.php"

session_register("myusername");session_register("mypassword");header("location:login_success.php");}else {echo "Wrong Username or Password";}

ob_end_flush();?>

Encrypting Password - Make your Login More Secure

Read more about encrypting password here
http://www.phpeasystep.com/workshopview.php?id=26http://www.phpeasystep.com/workshopview.php?id=26http://www.phpeasystep.com/workshopview.php?id=26

details about hash

Documents