Two questions about security - hash and session
I haven't been working with php for a long time, and I forgot many things (not that I was expert before
).
Now I'm working on a website for my friend and this is what bothers me:
1)Is it safer to use something like this
[php]function hasher($input){
$output=sha1($input);
$output=substr($output,10,20);
$output=$output.'Chernobile+123';//random text
$output=sha1($output);
$output=md5($output).'Horse+321';
$output=sha1($output);
return $output;
}
[/php]
or just a normal hashing function and only once, like just $output=sha1($input);
2)Here's code that I use for logging on:
[php]$userquery=mysql_query("SELECT username,password FROM
basicuser WHERE username='$username'
AND password='$password'");
if (mysql_num_rows($userquery)!=1) {
echo 'Log in error, bad password or username';
die;
}
$_SESSION['user']=$username;
[/php]
And every other file begins with
[php]
session_start();
if (!isset ($_SESSION['user'])) {
echo 'You must log in';
die;
}
[/php]
Log Out
[php]
session_start();
$old_user=$_SESSION['user'];
unset($_SESSION['user']);
session_destroy();
[/php]
Is this safe - are there any security holes? Thanks in advance.