Sent from my iPhone 在 2012-3-18,15:05,Tjerk Meesters <tjerk.meest...@gmail.com> 写道:
> On 18 Mar, 2012, at 2:32 PM, Xinchen Hui <larue...@gmail.com> wrote: > >>> What if php uses salts for specific hashes only, such as GPC (or all >>> hashes whose lifetime is limited to the current reuqest), and use a >>> zero-value salt for all others? >> definitely no,thinking of pre-calculated hash. > > Pre-calculated hash of what? You mean binary serialisation? > >> Or Ajax which use >> json_decode parse input json. > > That would be considered a request lifetime hash and therefore could be > salted. > >> >> IMO, this Make no sense but mess things up. > > We all have opinions. If a clear distinction between vulnerable and non > vulnerable data can be reliably made, in my limited knowledge of the whole > ecosystem I genuinely think this has a shot :) > Ha, sorry for my rude words, I am not meaning you, but the point self;) And it's also why I am not usually saying words at internal@ , my poor English :) -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
