At present we are going to learn password hashing with random php string. Even we state this for PHP ,but this logic can be applied to any programming language. hashing means generating one way encrypting the given string, which is impossible to get the original string from the hash. this helps to prevent the brute force attaks. This hashing can be used not only password hashing ,it can be applied to user sensitive data .main goal for hashing a string is get uniqueness one data for given fixed lenngth string and generating at minimum time and miniumum application resources.

Why hashing a string or password?

for example we take the authentication system where we store the user name and password in plain format. when hacker get into our application got access to database, then he can see the user password. in this case not only hacker can see that passwords,but also other webmasters, coder,designer ..etc can also see the password.

<?php 
$username=$_POST['username'];
$password=$_POST['password'];
$result=mysql_query("INSERT INTO tbl_user (username,password) VALUES ('$username','$password')") ;
/** sample tbl_user data
*username , password
*mahesh,mypassword1
*chari,password2
*/
?>

So we must encrypt the password by using php famouse algorithms like md5,sha1..etc. for example.

<?php 
$username=$_POST['username'];
$password=md5($_POST['password']);
$result=mysql_query("INSERT INTO tbl_user (username,password) VALUES ('$username','$password')") ;
/** sample tbl_user data
*username , password
*mahesh,0d28e4080dc8f64fc9603639bb7aa1b9
*chari,6cb75f652a9b52798eb6cf2201057c73
*/
?>

With this method hacker who may access database can not gues the password, but he can know that password with brute force algorithms. This algorithm guess the key with all available alphabet combinations. like a,b,c,…..aa,ab,ac…aaa..aab…etc. So this is also use less or weak implementation of authentication.

Now we add a application secrete that can be called plain hash to user password and do the encrypt, now brute force attack takes much time compared to previous one, it is some what strong compared to other. but if the hacker get to know this secret it is make easy again.

<?php 
define('HASH','mysecretehash');
$username=$_POST['username'];
$password=md5(HASH.$_POST['password']);
$result=mysql_query("INSERT INTO tbl_user (username,password) VALUES ('$username','$password')") ;
/** sample tbl_user data
*username , password
*mahesh,4e71c452f4aa24c19bf807a957986fc8
*chari,c645f52b2d8fcfc25e78ed73fc030bd3
*/
?>

Since this plain salt is also weak, we generate a strong one that contains special symbols,numbers,capital letter,small letters and more lengthy and keep in mind that it wont take much time to encrypt and application resources.

Now we use salt with md5 ,then it get more strong.

<?php 
define('HASH',md5('mysecretehash'));
$username=$_POST['username'];
$password=md5(HASH.$_POST['password']);
$result=mysql_query("INSERT INTO tbl_user (username,password) VALUES ('$username','$password')") ;
/** sample tbl_user data
*username , password
*mahesh,4e71c452f4aa24c19bf807a957986fc8
*chari,c645f52b2d8fcfc25e78ed73fc030bd3
*/
?>

Now even though above password is so strong but there is still a chance to know if attacker waits for a long time.

Now we use more customized salt generation for individual user liek , we combine user name also into salt.

<?php 
define('HASH',md5('mysecretehash'));
$username=$_POST['username'];
$password=md5($_POST['username'].HASH.$_POST['password']);
$result=mysql_query("INSERT INTO tbl_user (username,password) VALUES ('$username','$password')") ;
/** sample tbl_user data
*username , password
*mahesh,4e71c452f4aa24c19bf807a957986fc8
*chari,c645f52b2d8fcfc25e78ed73fc030bd3
*/
?>

Now it is 98% is stronger than previous ones. remaining is there chance if attaker wait long time.

now we use individaul random salt that is totally unique for each user, so it become more powerfull and strong. now we deal with real solution with customized solution for each individual salt .

<?php 
//generate unique random string with given length
function salt($length=6)
	{
		srand((double)microtime()*1000000);
		$randsymbols  = "!@#$%^&*()_+=-';:,<.>`~?[]{}";
		$randchar = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 
		$salt = array();
		while($length > 0) {
			$str = $length%3==0 ? $randsymbols : $randchar;
			$salt[] = $str[rand() % strlen($str) - .04];
			$length--;
		}
		shuffle($salt);
		mt_srand(); 
		return(implode("", $salt));
	}
//hash the string with favorite encrypt algorithm, here i used md5, you can consider sha1 or else	
function password($str, $salt)
{
	return md5(md5($str) . $salt);
}
?>

Now we have two functions one do gives unique string ,other do hashing the password. now we add one column to our tbl_user , called customsalt as varchar(45) , now we add the user to as below

<?php 
define('HASH',md5('mysecretehash'));
$username=$_POST['username'];
$customsalt=salt(3);
$password=password($_POST['username'].HASH.$_POST['password'],$customsalt);
$result=mysql_query("INSERT INTO tbl_user (username,password,customsalt) VALUES ('$username','$password','$customsalt')") ;
/** sample tbl_user data
*username , password,customsalt
*mahesh,4e71c452f4aa24c19bf807a957986fc8,c645f52b2d8fcfc25e78ed73fc030bd3
*chari,c645f52b2d8fcfc25e78ed73fc030bd3,4e71c452f4aa24c19bf807a957986fc8
*/
?>

Okay , now we consider fetching the user data and validating the user given user name and password for log in functionality.

<?php
define('HASH',md5('mysecretehash'));
$username=$_POST['username'];
$password=$_POST['password'];
$user=mysql_fetch_object(mysql_query("SELECT * FROM tbl_user WHERE username='$username'"));
if($user){
	$hashed=password($_POST['username'].HASH.$_POST['password'],$user->customsalt);
	if($hashed!==$user->password){
		echo 'Invalid password.';
	}
}
 
?>

Remember you must put your hash constant in non public directory and put that file into running script.

This is my idea only where i implemented on my projects , each developer has own methods as per their application level security level.

As the internet growing as long as spamming,hacking,fishing,bots also increasing,there by normal user can easly decepted by with them. in many security application we need to find the real ip address to ban or record the ip related activities.here we use small function that returns and modify the PHP global remote address variable.

Usually we’ll use $_SERVER['REMOTE_ADDR'] to get clients IP address. But this doesn’t return the real IP address all time. Basically when someone using PROXY that valiable returns proxy IP the client using. So here’s a function you can use to detect real ip address of client. Here are extra Server variable which might be available to determine the exact IP address of the client’s machine in PHP, they are HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR

1
2
3
4
5
6
7
8

function real_ip(){
	if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
		$_SERVER['REMOTE_ADDR']=$_SERVER['HTTP_X_FORWARDED_FOR'];
	}elseif(isset($_SERVER['HTTP_X_REAL_IP']){
		$_SERVER['REMOTE_ADDR']=$_SERVER['HTTP_X_REAL_IP'];
	}
return $_SERVER['REMOTE_ADDR'];
}

Yes ,you can hack any stored password in any browser ,any web site with in five seconds.Even you don’t know any basic programming language.but it works for only stored passwords in browser only.

hack stored password for Orkut ,Gmail and Google Account

Open the login page of the orkut that stored ,then paste the below code in URL bar or Address bar,simple you can see the password

1

javascript:document.getElementById('Passwd').type='text';void(0);

hack stored password for Yahoo mail

Open the login page of the yahoo that stored ,then paste the below code in URL bar or Address bar,simple you can see the password

1

javascript:document.getElementById('passwd').type='text';void(0);

hack any web site password

Yes ,again it is true you can hack any sites password,simple follow the below steps.
1.open login page of any web site that stored .

open login page of any site that stored

2.Open context menu by right clicking on the page,then select view source from that you can see a new window that has code,search for
a word type=”password” ,beside you can find id also


then replace with password with that id
paste it in address bar of the browser,then press enter or return key on your key board.

3.Its done you can see hidden password

Please note this article is informative purpose only.!!!

So don’t store your passwords on any public computer.