Passing secure data with $_SESSION

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • bugboy
    New Member
    • Sep 2007
    • 160
    #1

    Passing secure data with $_SESSION

    Hi everybody,

    I need to pass a secure key around in a session variable and i'm having trouble finding a manual that gives me a clear idea as to what is happening with, and how to use sha1().

    When the user logs in their static key is retrieved from the db and then this key is passed around in the session and is used in every query that the user makes on the db. Like so.

    [CODE=mysql]SELECT * FROM table WHERE 'name' = 'joe' AND 'key' = sha1(numerickey );[/CODE]

    I guess i just don't understand how sha1() works. Can anyone help explain it to me? or.. give me a better idea as to how to filter db results with a secure 'key' that blocks results not belonging to the user.

    Thanks in advance!
    Tags: None
    • brettl
      New Member
      • Sep 2007
      • 41
      #2
      You may not want to use SHA hash for this. I guess it all depends on how sensitive the data you are trying to protect is.

      Originally posted by MySQL
      Note

      Exploits for the MD5 and SHA-1 algorithms have become known. You may wish to consider using one of the other encryption functions described in this section instead.
      You can find more information on SHA1 and other methods of encryption here:
      MySQL encryption methods
      and
      PHP SHA1
      and
      PHP Hash

      Hope this helps.

        Comment

        • clai83
          New Member
          • Dec 2007
          • 41
          #3
          SHA1 is a hashing algorithm. There are know vulnerabilities now for this algorithm, but I believe that it takes a lot of processing power. Though vulnerabilities are know, these I believe are related to finding collisions and not actual decryption. People are being recommended to go with the SHA2 variants now. You can read about SHA algorithms on wikipedia. There is some pseudo-code for you to look at. If you are looking to decrypt a key then SHA1 is not for you. It is not a reversable hashing method.

          If you want to see if a key that a user has is the same as a SHA1 version of that key in the database then simple SHA1($key) and use that to compare to the database.

          Why this works is being, SHA generates a unique key for a unique entry, with certain limits of course. There are collisions but they are rare.

          hope that helps

            Comment

            • bugboy
              New Member
              • Sep 2007
              • 160
              #4
              Thanks guys.. good to know. I'm going to explain what i need a little better. Perhaps there is a completely different way i need to approach this:

              I'm trying to create something like Flickr's private, public or group photos where you can have data and assign permissions to it. Where either only you can see it, or everyone can see it or only a specific group of people can see it.

              What i need:
              • I have a table that holds personal data for many people.
              • Each person can only see the rows assigned to them.
              • Some rows are assigned to more than one person.
              • There are many millions of rows.

              The way i'm proposing:
              Really i should be creating a foreign key table to define the relationships between users and the data but the relations table would be huge because millions of rows in the main table may be assigned to hundreds of people.

              What i'm thinking of doing is simply putting a key value in each row which can be used to filter the results returning only those rows assigned to the key holder.

              Each user has several keys associated with their profile one for each group of people they share data with.

              Users don't even know the keys exist.

              When a user logs in a session is created and their keys are retreived from the db and held as a session variable to be inserted into any query on the db.

              The keys held in the session are then used in the query to filter out only those rows that are assigned to any of the keys the user holds.

              The problem:
              I'm worried that someone will be able to figure out what someone else's key is from the session data and access someone else's rows.

              or maybe i'm being dumb and there is a simpler or more efficient way to do it?

                Comment

                Previous template Next
                Working...