I''ve implemented an authentication scheme that is basically Recipe #31 from the Rails Recipes book. I''m using the SHA 256 digest to generate the hash that is stored in the database. Are there any characters, which, if they were present in the submitted password form field, would cause the digest to fail? Basically, do I need to escape any of the characters that might be submitted for the password from the user? Thanks, Wes -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
No, digest will never treat a string like anything diferent than a string, it will never try to execute part of it thinking that maybe its a command. Digest just reads, never executes. Wes Gamble escreveu:> > I''ve implemented an authentication scheme that is basically Recipe #31 > from the Rails Recipes book. I''m using the SHA 256 digest to generate > the hash that is stored in the database. > > Are there any characters, which, if they were present in the submitted > password form field, would cause the digest to fail? > > Basically, do I need to escape any of the characters that might be > submitted for the password from the user? > > Thanks, > Wes >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Stephan Wehner
2007-Jan-06 00:17 UTC
Re: Advice: Need to escape password chars w/SHA digest?
Wes Gamble wrote:> I''ve implemented an authentication scheme that is basically Recipe #31 > from the Rails Recipes book. I''m using the SHA 256 digest to generate > the hash that is stored in the database. > > Are there any characters, which, if they were present in the submitted > password form field, would cause the digest to fail? > > Basically, do I need to escape any of the characters that might be > submitted for the password from the user? > > Thanks, > WesWhen I run the code below I get no errors. Stephan require ''openssl'' # chr converts integers to ascii digests = (0..255).to_a.collect { |c| OpenSSL::Digest::SHA.hexdigest(c.chr) } count = 0 digests.each do |s| if s.length != ''c6e20991c4a5ea747fdd7a9e3ce5210504a74e75''.length puts "Not the right length for #{s}" else count += 1 end end (0..255).to_a.each { |c| puts OpenSSL::Digest::SHA.hexdigest(c.chr) } puts "Looked at #{digests.length} digests; #{count} have the same length." -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---