Why unique_id function so overdone? It requires to few SQL queries just to get random md5. Why not replace it with more simple combination that doesn't need any DB or I/O resources?
Also it's possible to optimize set_config function - using one REPLACE query instead of few UPDATE and/or INSERT queries.
unique_id function
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Re: unique_id function
a) Because anything else wouldn't be as secure.
b) Doesn't optimize much and would be MySQL-only.
b) Doesn't optimize much and would be MySQL-only.
No support via PM.
Trust me, I'm a doctor.
Trust me, I'm a doctor.
Re: unique_id function
a) Can you please explain for me why combination like
is less secure?
b) MySQL is most popular and for big forums there is no words like "Doesn't optimize much". Just a thought.
Code: Select all
return substr(md5(rand().'_'.microtime().'_'.rand()),rand(0,15),16)
b) MySQL is most popular and for big forums there is no words like "Doesn't optimize much". Just a thought.
Re: unique_id function
a) Because it's just based on the current time. An attacker could have an excellent guess on what the generated value was (about one in 20, according to our experiments).
b) As stated before, it isn't faster and would break compatibility with the other DBMS. We don't support MySQL's weird quirks.
Config values are added only very seldomly; never in normal operation. A REPLACE is more expensive than an UPDATE. Why use a more expensive operation frequently to avoid an extremely unlikely situation that can only happen in not-performance critical situations.
b) As stated before, it isn't faster and would break compatibility with the other DBMS. We don't support MySQL's weird quirks.
Config values are added only very seldomly; never in normal operation. A REPLACE is more expensive than an UPDATE. Why use a more expensive operation frequently to avoid an extremely unlikely situation that can only happen in not-performance critical situations.
No support via PM.
Trust me, I'm a doctor.
Trust me, I'm a doctor.
Re: unique_id function
a) Ok let's forget about time
There are a lot of deffierent combinations with md5, substr, rand, round that can be implemented and it's based only on random values every time.
2) I think I should agree with you.
Code: Select all
return substr(
md5(
rand().
'_'.
round(
rand()*rand()/rand(),
rand(1,4)
).
'_'.
rand()
),
rand(0,15),
16
);
2) I think I should agree with you.
Re: unique_id function
It's still just the time that goes in the function. An attacker using the same seed will get the same result.
No support via PM.
Trust me, I'm a doctor.
Trust me, I'm a doctor.
Re: unique_id function
^ There are only rand(), md5(), and substr() functions now. The result doesn't depend on time.
Also you can get hash of getallheaders() or something like this.
Also you can get hash of getallheaders() or something like this.
- Nicholas the Italian
- Registered User
- Posts: 659
- Joined: Mon Nov 20, 2006 11:19 pm
- Location: 46°8' N, 12°13' E
- Contact:
Re: unique_id function
Not sure what we are exactly talking about, so I might be saying something stupid. But what about using user's IP as part of the seed? The attacker must (should) have a different one.