Support Forums
Development Forum
What's the purpose of $page variable?
You must be signed-in to post.
| Author | Subject | |
|---|---|---|
| Page: 1 | ||
IndieRect | Subject: What's the purpose of $page variable? |  |
| Hello. I've been working on adding MD5 hashing to ATutor. The work is almost finished for now and I need some information to complete it. In ATutor 1.5, variable $page is used for several different purposes in different files. I need to know what it is used for on page users/profile.php, where it is assigned a string. The reason is I've created a file based on this one and now have to do something with this variable - either assign it some string or throw it away completely. I would be thankful for your answer. Posted: 2005-09-07 08:14:02 | ||
 | ||
joel | Subject: . | |
| $page in users/profile.php can be removed. it is no longer used. Posted: 2005-09-14 16:42:48 | ||
| ||
| IndieRect | Subject: OK | |
| Fine, I´ll skip it then. Posted: 2005-09-15 04:21:39 | ||
| ||
| BtM | Subject: md5 | |
| Hi, Very interested in md5 password security for ATUTOR How are you going to deal with password requests Create a new one? If you have work in progress files can I have a look? (Though new to PHP I have been teaching programming for 20 years) Thanks -BC Dr. B. I. Czaczkes mailto://msbc@mscc.huji.ac.il pl1.mscc.huji.ac.il Posted: 2005-09-16 07:26:49 | ||
| ||
| IndieRect | Subject: Say more generally: hashing | |
| Dear BtM. Thanks for you interest in this field. Yes, I´m working on adding password hashing to ATutor, though at this point it is not decided yet which algorithm to choose, MD5 or some other one. Currently the implementation handles passowrd reminder requests the way you said - it just randomly generates a new alphanumeric password, writes it to database and sends to the user via e-mail. Maybe you can suggest a better way, I would appreciate any thoughts. The work is in phase of studying now. As soon as a progress will be achieved I believe you will be able to download the files via SVN. Or, I could send you the changes (patches or modified files) by e-mail, if you wish. Best regards. Posted: 2005-09-16 09:31:34 | ||
| ||
| joel | Subject: . | |
| This topic has recently come up within our department and it would seem that the ability to select from a list of available algorithms is best. There are those here who would like the option to not encode the password at all. During a fresh installation the admin may select from: no hashing, md5, sha1, crypt, or even mcrypt_*. Posted: 2005-09-16 10:38:51 | ||
| ||
| IndieRect | Subject: It makes sense | |
| Choosing one of the algorithms is a good idea, and I thought about it. The restriction is that an encryption can not be reverted once it has been applied. It requires of an admin to know about each of this methods BEFORE he begins an installation. Alternatively, an option to hash passwords could be included as an option on system preferences. A possible human-friendly solution is to include a simple installation option like: * Encrypt [w/o specifying the algorithm; assumes we´ve already decided that for an admin] * Don´t encrypt/Encrypt later But what to do that for?! Working with hashed passwords is absolutely transparent to either user or admin, just as it is for plaintext passwords used for now. Additionally, besides an increased security, it prevents admins from peeping and violating users' legal rights for privacy. So, unless an admin wants to control users in such an immoral and potentially dangerous way OR is not informed about the transparency and security well enough, not using hashing can hardly be argumented, from my point of view. Posted: 2005-09-16 11:43:15 | ||
| ||
| BtM | Subject: . | |
| Hi, We are talking about password inscription not the complete db? If the DBA want to peep he can just look at the data So a one way hash is transparent to the admin but not to the user if he looses his password (he may get a new one but we will never know what the old one was) If the data is encrypted using the password a back door is essential in my opinion Do not forget our users are students and we do not want data to be lost just because a password was lost Posted: 2005-09-16 12:06:17 | ||
| ||
| IndieRect | Subject: Know more about hashing | |
| Yes, only the passwords are hashed, not the entire database. Hashing differs from an ordinal encryption in a way that it´s a ONE-WAY process. I.e. once the password was hashed (using MD5, SHA-1, SHA-2 or whatever other algorithm) it can never be reproduced again in a initial state. An example: MD5('abc') = '900150983cd24fb0d6963f7d28e17f72' If you want to know more about hashing on a high level, wikipedia would be a good place to start, www.wikipedia.org/. Posted: 2005-09-16 12:20:57 | ||
| ||
| joel | Subject: . | |
| We have a group here who are not very web savvy at all. in fact, the admin is required to create accounts for students and even update their accounts at times. so in that situation making it impossible for the admin to find someone's password would create a lot of extra work. it has to be an admin option during the installation process. a script for resetting ALL passwords has to be created as well just in case the admin decides to change the hashing algorithm. Posted: 2005-09-16 15:17:26 | ||
| ||
| sinus | Subject: hi... it would be nice to see aTutor use md5 for passwords | |
| hi... it would be nice to see aTutor use md5 for passwords.... if the user forgets his passwords, then he can just request a new one instead of retrieving the new password (thru email) Posted: 2005-10-16 23:05:06 | ||
| ||
| IndieRect | Subject: Pending | |
| This work is currently frozen since I have not sufficient time for completing it. In case you're interested in discussion, please see atutor.ca/view/7/5767/1.html (notice there are 2 pages there). Posted: 2005-10-17 08:18:01 | ||
| ||
| Page: 1 | ||
You must be signed-in to post.