By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,968 Members | 1,588 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,968 IT Pros & Developers. It's quick & easy.

Passing secure data with $_SESSION

bugboy
100+
P: 160
Hi everybody,

I need to pass a secure key around in a session variable and i'm having trouble finding a manual that gives me a clear idea as to what is happening with, and how to use sha1().

When the user logs in their static key is retrieved from the db and then this key is passed around in the session and is used in every query that the user makes on the db. Like so.

Expand|Select|Wrap|Line Numbers
  1. SELECT * FROM table WHERE 'name' = 'joe' AND 'key' = sha1(numerickey);
I guess i just don't understand how sha1() works. Can anyone help explain it to me? or.. give me a better idea as to how to filter db results with a secure 'key' that blocks results not belonging to the user.

Thanks in advance!
Dec 11 '07 #1
Share this Question
Share on Google+
3 Replies


brettl
P: 41
You may not want to use SHA hash for this. I guess it all depends on how sensitive the data you are trying to protect is.

Note

Exploits for the MD5 and SHA-1 algorithms have become known. You may wish to consider using one of the other encryption functions described in this section instead.
You can find more information on SHA1 and other methods of encryption here:
MySQL encryption methods
and
PHP SHA1
and
PHP Hash

Hope this helps.
Dec 11 '07 #2

P: 41
SHA1 is a hashing algorithm. There are know vulnerabilities now for this algorithm, but I believe that it takes a lot of processing power. Though vulnerabilities are know, these I believe are related to finding collisions and not actual decryption. People are being recommended to go with the SHA2 variants now. You can read about SHA algorithms on wikipedia. There is some pseudo-code for you to look at. If you are looking to decrypt a key then SHA1 is not for you. It is not a reversable hashing method.

If you want to see if a key that a user has is the same as a SHA1 version of that key in the database then simple SHA1($key) and use that to compare to the database.

Why this works is being, SHA generates a unique key for a unique entry, with certain limits of course. There are collisions but they are rare.

hope that helps
Dec 12 '07 #3

bugboy
100+
P: 160
Thanks guys.. good to know. I'm going to explain what i need a little better. Perhaps there is a completely different way i need to approach this:

I'm trying to create something like Flickr's private, public or group photos where you can have data and assign permissions to it. Where either only you can see it, or everyone can see it or only a specific group of people can see it.

What i need:
I have a table that holds personal data for many people.
Each person can only see the rows assigned to them.
Some rows are assigned to more than one person.
There are many millions of rows.

The way i'm proposing:
Really i should be creating a foreign key table to define the relationships between users and the data but the relations table would be huge because millions of rows in the main table may be assigned to hundreds of people.

What i'm thinking of doing is simply putting a key value in each row which can be used to filter the results returning only those rows assigned to the key holder.

Each user has several keys associated with their profile one for each group of people they share data with.

Users don't even know the keys exist.

When a user logs in a session is created and their keys are retreived from the db and held as a session variable to be inserted into any query on the db.

The keys held in the session are then used in the query to filter out only those rows that are assigned to any of the keys the user holds.

The problem:
I'm worried that someone will be able to figure out what someone else's key is from the session data and access someone else's rows.

or maybe i'm being dumb and there is a simpler or more efficient way to do it?
Dec 12 '07 #4

Post your reply

Sign in to post your reply or Sign up for a free account.