Message Board in PHP with MySQL

[Neo]

I was wondering about moderators of groups. What are their functions and how are they different (in terms of rights etc) from the other users of a forum. How do i represent them and what should i do to allow others to become moderators?

This board is powered is by YaBB SE (it says so below). So is the BBC language used here? If so can i also allow the use of it in my forum or do i have to try something else on my own?

Also is it possible for anyone to get the source of my PHP scripts off the server its running on? (I mean using website extractors etc?)

[Neo]

Well since no one's realised this till now, I might as well add what little info I managed to unearth from the MySQL doc's.

The use of the INNODB database type (version 3.something onwards) allows the use of foreign keys with the ability to perform cascading operations etc. on the database.

So i guess that answers my own question on CASCADING operations. This has greatly simplified my database design. However the CHECK() clause does not seem to be working.
Anyway I'm off to do some more fun stuff. BTW Any answers to the previous post??

[AGI1122]

I was wondering about moderators of groups. What are their functions and how are they different (in terms of rights etc) from the other users of a forum. How do i represent them and what should i do to allow others to become moderators?

Basically moderators in YaBBSE only have power to delete topics, delete posts, edit posts, lock topics, and move topics on boards they moderate. Global moderators have the same power in YaBBSE... except they have power over all boards instead of just specific boards. And admins can do pretty much anything and everything.

To make people moderators, just insert their userid's into the boards row as it's moderators. For instance in YaBBSE it inserts their username into the boards table seperated by comma's... so it would like this in the db:
df,AGI1122,sonneveld

But I think using id's is better to save space as well as to make it faster. So like this:
1,63,49
As example. Then just explode by a comma and if one of the userid's is the userid of the person currently logged in they have moderator power.

This board is powered is by YaBB SE (it says so below). So is the BBC language used here? If so can i also allow the use of it in my forum or do i have to try something else on my own?

Yeah this board is powered by YaBBSE... although the url at the bottom is wrong, they have a new domain name "http://www.yabbse.org". As for the BBC language, YaBBSE didn't invent BBC... almost all boards I have tried have their own BBC language and they are all similar in the way they work. So you can use BBC on your forum... as long as it doesn't use their BBC source code in the YaBBSE source files.

Also is it possible for anyone to get the source of my PHP scripts off the server its running on? (I mean using website extractors etc?)

As long as the server is set up to make all .php files executable then they should not be able to... unless you don't use the .php extension for your source code files. In most cases your server should be set up properly to prevent .php files from showing source unless you use FTP or have access to the files on the server... in which case you should chmod them properly.

[Neo]

Does that mean i can use for e.g. [[ code ]] , [[ quote ]] etc... tags. And should only implement the logic to translate them?
@Chris: What did you mean by

...as long as it doesn't use their BBC source code in the YaBBSE source files.

How will i be able to access their source? Or was that a yes.

Right now I'm storing user passwords as plaintext. I was wondering if I should encrypt them? do i do this using PASSWORD() ?

[AGI1122]

Does that mean i can use for e.g. [ code ] , [ quote ] etc... tags. And should only implement the logic to translate them?

Yes, as long as you use your own code/programming/logic and not YaBBSE's.

How will i be able to access their source? Or was that a yes.

You can download the YaBBSE source files on their website and upload it to your web site to have your own message board system without having to write one or pay for one. It's free/open source.

Right now I'm storing user passwords as plaintext. I was wondering if I should encrypt them? do i do this using PASSWORD() ?

I use the md5(); function in PHP to encrypt passwords. It creates a 32 byte hashed password that cannot be easily unhashed. Infact if you use a good enough password it could take an extremely long time to unhash just one... much less a database full of them. If you run a new enough version of PHP(4.3.0 or higher) you could also try using sha1(); encrypt which has a 40 byte hash which makes it even more secure than md5();.

[Candy]

It creates a 32 byte hashed password that cannot be easily unhashed. Infact if you use a good enough password it could take an extremely long time to unhash just one... much less a database full of them. If you run a new enough version of PHP(4.3.0 or higher) you could also try using sha1(); encrypt which has a 40 byte hash which makes it even more secure than md5();.

"Unhashing" a password is impossible. Decrypting a password /IS/ possible.

The only thing you could try is to find a password that creates the same hash. Doing so requires, in case of a good hash, generating half the possible hashes, which in the case of a 128-bit hash means 2^127 hashes. On a specially designed network of 1 billion special chips running at 130THZ, creating and comparing a hash in 1 cycle, you'd be crunching for about 35.7 million years before you find ONE hit.

Compare the old crypt() function, using the hashing method (pass is key, you encrypt a block of zeroes), you'd get a hit in 4 minutes 16 on average, using only one chip (running at 130thz still).

Note, if the algorithm is cracked, this all falls to dust. None of it is then valid.



Now, if you could only educate /ALL/ your users to not choose simple passwords, this'd be all there's too it. But, they are not smart now are they?

Trudy makes a list of passwords she thinks they'll use. She hashes them all (taking a second or so), and then mass-compares them with all the hashes in your pwd list. Amazing, 3/4 of the passes is cracked.

Security is more than a good algorithm.

[Neo]

So what would you recommend? I try the crack() function on each password and then ask users for safer passwords? ( I'm sure most of them will leaveif i do that)

Anyway the PASSWORD() function in MySQL generates a 41 byte hash. Would this be better than the other functions mentioned?

Another thing is about access to the database by users. Do i create accounts for each (sounds crazy)? or else do i create a user with no password and allow only SELECT privileges for the user? How do i update the tables when i a new user signs up etc? Should i create diferent users(will hosts's allow this) with different access rights and use the appropriate one as needed?
Or else how is this handled?

[AGI1122]

It creates a 32 byte hashed password that cannot be easily unhashed. Infact if you use a good enough password it could take an extremely long time to unhash just one... much less a database full of them. If you run a new enough version of PHP(4.3.0 or higher) you could also try using sha1(); encrypt which has a 40 byte hash which makes it even more secure than md5();.

"Unhashing" a password is impossible. Decrypting a password /IS/ possible.

The only thing you could try is to find a password that creates the same hash. Doing so requires, in case of a good hash, generating half the possible hashes, which in the case of a 128-bit hash means 2^127 hashes. On a specially designed network of 1 billion special chips running at 130THZ, creating and comparing a hash in 1 cycle, you'd be crunching for about 35.7 million years before you find ONE hit.

Compare the old crypt() function, using the hashing method (pass is key, you encrypt a block of zeroes), you'd get a hit in 4 minutes 16 on average, using only one chip (running at 130thz still).

Note, if the algorithm is cracked, this all falls to dust. None of it is then valid.



Now, if you could only educate /ALL/ your users to not choose simple passwords, this'd be all there's too it. But, they are not smart now are they?

Trudy makes a list of passwords she thinks they'll use. She hashes them all (taking a second or so), and then mass-compares them with all the hashes in your pwd list. Amazing, 3/4 of the passes is cracked.

Security is more than a good algorithm.

Words from a dictionary are easy to get the password for when using hashes. I have seen websites even that can get the password by using a dictionary. But if your password is random characters then it won't be easily obtainable. I didn't mean that it could "literally" be unhashed... it's more like brute forceing.

Also, if you want you could try something like this:

Code: Select all

function multiple_encryption($password) {
   $password = base64_encode($password);
   $password = crypt($password,substr($password,0,2));
   $password = substr($password,0,10);
   $password = md5($password);
   $password = substr($password,0,10);
   $password = sha1($password);
   return $password;
}

This ia a encryption routine that uses 4 different types of encryption to create a pretty secure password... if you are using a php version older than 4.3.0 you should use this instead though which only has 3:

Code: Select all

function multiple_encryption($password) {
   $password = base64_encode($password);
   $password = crypt($password,substr($password,0,2));
   $password = substr($password,0,10);
   $password = md5($password);
   return $password;
}

So what would you recommend? I try the crack() function on each password and then ask users for safer passwords? ( I'm sure most of them will leaveif i do that)

I think too many people would be annoyed by that... but I recommend either the code above or maybe md5(); or sha1();.

Anyway the PASSWORD() function in MySQL generates a 41 byte hash. Would this be better than the other functions mentioned?

Well it's only 1 extra byte than sha1(); so I don't see it being that much better... a tiny bit... but not much. Besides if you use the MySQL function it will restrict all password related things to be forced to go through MySQL and not checkable within PHP.

Another thing is about access to the database by users. Do i create accounts for each (sounds crazy)? or else do i create a user with no password and allow only SELECT privileges for the user? How do i update the tables when i a new user signs up etc? Should i create diferent users(will hosts's allow this) with different access rights and use the appropriate one as needed?
Or else how is this handled?

Well normally you don't create mysql users based on users that sign up at the forum... I can see lot's of security issues if you do that.

Normally, you make it use the default mysql user for the database. Or you could make 1 new mysql user specifically for that database.

The board itself should be the onlything interacting with the database... your users should NOT be able to touch the database so they don't need a user for each member of your forum.

Unless I totally missunderstood that last question, because it sounded like you where wanting to create mysql users for each user.

[Neo]

Yeah that was what I was asking (even though i knew it sounded crazy).
Anyway now i've created 1 user with SELECT privilege only another with INSERT,DELETE,SELECT privileges and another with ALL.
I plan on using the first for guest, the second for members and the third for Admin.
Is this Ok?

[Candy]

Words from a dictionary are easy to get the password for when using hashes. I have seen websites even that can get the password by using a dictionary. But if your password is random characters then it won't be easily obtainable. I didn't mean that it could "literally" be unhashed... it's more like brute forceing.

The point is, even when you DO have a hit when trying to brute-force it, you don't necessarily have the pass. You have SOME password that generates the same hash.

Also, if you want you could try something like this:

Code: Select all

function multiple_encryption($password) {
   $password = base64_encode($password);
   $password = crypt($password,substr($password,0,2));
   $password = substr($password,0,10);
   $password = md5($password);
   $password = substr($password,0,10);
   $password = sha1($password);
   return $password;
}

This ia a encryption routine that uses 4 different types of encryption to create a pretty secure password... if you are using a php version older than 4.3.0 you should use this instead though which only has 3:

Code: Select all

function multiple_encryption($password) {
   $password = base64_encode($password);
   $password = crypt($password,substr($password,0,2));
   $password = substr($password,0,10);
   $password = md5($password);
   return $password;
}

Did you ever read about the principle of the weakest link? The strength of the chain is only as strong as the strength of the weakest link. You're chaining password hashes, which means that it's as strong as the weakest one, which for as far as I can see is the crypt. As I've mentioned above, crypt is NOT a good idea. Chaining crypt is not a good idea either.

So what would you recommend? I try the crack() function on each password and then ask users for safer passwords? ( I'm sure most of them will leaveif i do that)

I think too many people would be annoyed by that... but I recommend either the code above or maybe md5(); or sha1();.

There is no cure for a bad password. If the user doesn't protect himself using a password (or anything linked to the password!) the user is essentially open. The best thing you could do is tell him his/her pass is terrible, and the least nice thing would be to disable his/her account until it gets a decent pass. A nice middleway would be to allow weak passes but only when they're tied to an IP address, and to allow strong passes to be untied.

[AGI1122]

The point is, even when you DO have a hit when trying to brute-force it, you don't necessarily have the pass. You have SOME password that generates the same hash.

I havn't seen 2 passwords from a dictionary yet that create an identical hash.

Did you ever read about the principle of the weakest link? The strength of the chain is only as strong as the strength of the weakest link. You're chaining password hashes, which means that it's as strong as the weakest one, which for as far as I can see is the crypt. As I've mentioned above, crypt is NOT a good idea. Chaining crypt is not a good idea either.

It's creating a encoded password, then turning that encoded password into a random string based on a SALT which is the first 2 characters of the password entered, then hashing it 2 times. It isn't just crypt by itself, the SALT adds alot more security which means you also have to figure out the first 2 characters of the password to even be able to get the entire password. And since crypt produces a random string instead of a dictionary word(like most people use for their passwords) for instance it means that a dictionary hash cracker won't be able to get at it.

Just a simple md5 dictionary hash program won't be able to get at the password because the crypt turned it into random string of characters before hashing it to md5. It's not a major gain in security but there is gain.

[Candy]

Did you ever read about the principle of the weakest link? The strength of the chain is only as strong as the strength of the weakest link. You're chaining password hashes, which means that it's as strong as the weakest one, which for as far as I can see is the crypt. As I've mentioned above, crypt is NOT a good idea. Chaining crypt is not a good idea either.

It's creating a encoded password, then turning that encoded password into a random string based on a SALT which is the first 2 characters of the password entered, then hashing it 2 times.

It isn't just crypt by itself, the SALT adds alot more security which means you also have to figure out the first 2 characters of the password to even be able to get the entire password. ... And since crypt produces a random string instead of a dictionary word(like most people use for their passwords) for instance it means that a dictionary hash cracker won't be able to get at it.

Ok, so I'll make a program that feeds any password I care to test through your password generator program. It surely helps you fixed all these problems.

By definition there are a max of 2^56 possible crypt values. Because you take the salt, it'd increase to 2^72. You strip the salt off again (which is not that bad in itself, but you do strip the salt) so it goes down to 2^60 again. You've gone to 2^4 = 16 times better than crypt.

The point is, there is no other possible output from these 2^60 characters, so there is NO way you will ever get any more than 2^60 different MD5 sums, even though there are 2^128. Ouch.

Now, think, if there's a max of 2^60 different MD5 sums that you can generate, one out of every 2^60 passwords is "identical" to the one the user entered. Taking on average 2^59 before you find one, you didn't gain as much as with even plain MD5.

Reconsider.

Just a simple md5 dictionary hash program won't be able to get at the password because the crypt turned it into random string of characters before hashing it to md5. It's not a major gain in security but there is gain.

You strip down whatever crypt made of it to 60 bits, even stripping off the salt. Ok, they can't find out the salt. That mostly means they don't know the first 1.3 character of the string, but OK, if you think that adds security, so be it.

There is no way to create entropy where there is none.

if my password is 1234 any cracker can fill it in as easily as I can and use my account, there is no point whatsoever in just trying to invent a better algorithm.

Now, you could use all those hashes (sha1, md5, crypt) next to each other. That then results in a whopping 128+160+56 = 344 bits of hash to crack. That's a better idea. As long as none of the hashes is directly invertible (which is by definition not so, in a hash), it's safe. Since a different pass that generates the same crypt doesn't generate the same MD5 or SHA1, the chance of an accidental hit goes down to 2^-344, or, virtually none (the first non-0 appears after a nice 103 decimals).

[Embrance]

I go for flatfile.I think thats better.Even with a basic php knowledge you can create a nice forum .There are nice lfatfile forums out there.

[AGI1122]

As I said, alot of hosts don't like flatfile databases and would drop your service if you use them.(that's the reason that alot of the old flatfile YaBB's are banned, even my host(eperfect.net) banned them). YaBBSE however uses a database and is allowed by those hosts that banned YaBB.

MySQL databases are usually alot faster as well as easier on the server's resources since it is optimized for storing data.

[DennisCGc]

I have another question, since I'm pretty new in PHP programming.
How to stay logged in, on a message board, or at least, some thing interactive.
Do I have to write a cookie, if so, how to do that ?
And if not, please explain, what to use then.

Regards,
DennisCGc.