And this is why nobody encrypts passwords correctly.


  • Garbage Person

    The "average" "developer" is an idiot PHP developer. 

    http://php.net/manual/en/function.crypt.php

     

    I generally know what the hell I'm doing most of the time, and even I'm having trouble deciphering that asstastic API. The salt contains parameters? That's fucking stupid.

    And then there's the issue of the output. For all the actual strong algorithms, notice that the output includes all or most of the salt, including said parameters. This leads me to believe the implementations are outright INCORRECT.

     

    TRWTF is that I'd rather write PHP than starve.



  • TRWTF is that you think that this is PHP's fault. And that you think that revealing the salt makes the hash any less secure. And that you think that this is "encryption". And that you think that any of this is a problem.



  • @Boss said:

    Wha are you trying to "crypt" passwords. You just have to
    store them in plain text

    The crypt() function is useless.
    use hash or hash_hmac with sha512 or whirlpool and your database will
    fill up quickly

     

     



  • $yes$there$is$nothing$wrong$with$this$perfectly$fine$api$hunter2$



  • Wait, the crypt function used (and parameters to the crypt function) depends on the salt parameter?

    That sounds stupid, even to me.



  •  You people depress me.  This is standard glibc.  It may be asstastic, but it's hardly a PHP problem.



  •  Oh, and I thought the title was referring to idiots using MD5 or SHA.  LOL.



  • Which is why no one (except those who don't know any better) uses it. The "average" PHP developer will just use md5() (and possibly without salt). Only those coming from another language will expect crypt (and other things) to do things like their other language (and then complain it's PHP's fault, when any two major languages don't always agree on everything, yet they wouldn't blame it on those languages in those cases).

    The correct way to do it in PHP, as someone else has already stated, is to use hash(), specifying the algorithm as the first argument and manually adding the salt to the second (the data to be hashed).



  • @Zimzat said:

    The correct way to do it in PHP, as someone else has already stated, is to use hash(), specifying the algorithm as the first argument and manually adding the salt to the second (the data to be hashed).

    Or, if you actually give a shit and want to use a password hashing algo that isn't trivial to crack, use bcrypt.



  • @morbiuswilters said:

    @Zimzat said:

    The correct way to do it in PHP, as someone else has already stated, is to use hash(), specifying the algorithm as the first argument and manually adding the salt to the second (the data to be hashed).

    Or, if you actually give a shit and want to use a password hashing algo that isn't trivial to crack, use bcrypt.

     

    Define "trivial to crack" and explain how? This is the first I've heard of sha512 w/salt as being insufficient for storing password hashes. I'm interested in knowing how long it would take to "crack" a reasonably strong password, and if that would expose the actual password or just allow hash collisions.



  • I'll pop the popcorn....  Eagerly awaiting morbiuswilters' reply.


  • Garbage Person

     Oddly enough, this is exactly why I was trying to use crypt - it seems to be the only place in the entire API that supports blowfish in any capacity.



  • @Zimzat said:

    @morbiuswilters said:

    @Zimzat said:

    The correct way to do it in PHP, as someone else has already stated, is to use hash(), specifying the algorithm as the first argument and manually adding the salt to the second (the data to be hashed).

    Or, if you actually give a shit and want to use a password hashing algo that isn't trivial to crack, use bcrypt.

     

    Define "trivial to crack" and explain how? This is the first I've heard of sha512 w/salt as being insufficient for storing password hashes. I'm interested in knowing how long it would take to "crack" a reasonably strong password, and if that would expose the actual password or just allow hash collisions.

    Who the fuck cares about hash collisions?  And strong passwords are not your concern--weak passwords are.  The entire point of hashing is to make it hard to figure out the passwords should the password database be compromised.  MD5 and SHA are not CPU-intensive enough to make brute force attacks infeasible against weak passwords.  There was another thread recently where we already covered this.  You can look for it yourself, I'm too lazy to bother finding it and linking it.  But since we already covered this recently, I'm sorry, but I won't be able to flame you properly.  Just read that other thread and pretend all the flames were directed against you.  Or wait 3 months and bring up this stupid fucking topic again, once I've regenerated some of my power.



  • @Weng said:

    Oddly enough, this is exactly why I was trying to use crypt - it seems to be the only place in the entire API that supports blowfish in any capacity.

    mcrypt.  It's an extension, but it's a necessary one.



  • All you had to do was link some research papers, statistics, etc. I'd believe those just fine. I asked purely for knowledge and usage reasons, not to troll or bait. I only care about what's usable.

     I don't pay attention to the rest of these forums; only the sidebar. If there was more flaming elsewhere then I missed it.



  • @Zimzat said:

    All you had to do was link some research papers, statistics, etc. I'd believe those just fine. I asked purely for knowledge and usage reasons, not to troll or bait. I only care about what's usable.

     I don't pay attention to the rest of these forums; only the sidebar. If there was more flaming elsewhere then I missed it.

    There was a sidebar post just a few days ago about a password field being too short that devolved into a discussion of ... this. Not your fault, just explaining why people have the "oh shit, not again" attitude.



  • @Zimzat said:

    All you had to do was link some research papers, statistics, etc. I'd believe those just fine. I asked purely for knowledge and usage reasons, not to troll or bait. I only care about what's usable.

    I don't pay attention to the rest of these forums; only the sidebar. If there was more flaming elsewhere then I missed it.

    Fair enough.  Here's the bcrypt paper.  There are a few open source projects that brute force MD5 hashes using a video card GPU.  They can hit upwards of 500 million hashes checked per second.  Of course, this could be distributed to a botnet, further scaling the hashes checked.  The point is, the reason password databases are hashed is to prevent someone from swiping the database and then using the passwords to login to other services.  That's it.  Salting makes pre-computed attacks (rainbow tables) impossible, but MD5 (and to a slightly lesser extent, SHA) are fast algorithms.  This is bad, because when you can check a billion hashes per second you can afford to do brute forcing.

     

    Of course, you're not going to crack the 20 character password with letters, numbers and special characters that was generated from a RNG, but that's not really the point.  Someone who has a strong password is probably going to be smart enough to not use the same password for multiple services; they're the strongest link.  You are concerned about the weaker links: the people who use a password like "pineapple90210", which most people would say is a reasonably strong password but which can be brute-forced in no time if it is hashed with MD5/SHA.  Since the entire point of hashing the passwords is to prevent a compromise of the password database from exposing users to attacks on other services where they use the same password, your best bet is to use the best hashing you reasonably can.  That's something like key-stretched MD5/SHA or bcrypt, but since bcrypt is very strong and easily available, you might as well just use it.



  • What surprises me is that so few programmers seem to be aware of the weakness of using MD5/SHA for password hashing.  Like everything in life that displeases me, the blame lies with someone else.  In this case, it's one of the most arch- of all of my arch-nemesises: Big Crypto.

     

    Oh, Big Crypto has got it all under control, believe me.  They have a vested interest in keeping programmers away from superior, Open Source technologies.  You see, every single time you call md5() in a piece of code, some shyster businessman in New York City gets a nickel.  Big Crypto has used its extensive war chest of ill-gotten wealth to suppress the truth.  They've paid off language developers to keep bcrypt out of standard libraries.

     

    They use their considerable influence over the Lame Stream Media to peddle scare stories to parents about the dangers of bcrypt.  Then they jam the knife in further during the commercial breaks where their jingoistic propaganda masquerading as advertising shows Uncle Sam using MD5 and a brown-skinned person using bcrypt, the implication being that bcrypt is "dark" and "impure" and a threat to the White Man's dominance.

     

    Big Crypto runs the biggest lobbying outfit in all of that miserable swamp known as D.C.  Politicians from both parties accept "campaign contributions" (bribes) in exchange for leveraging the law to keep bcrypt out and maintain MD5's monopoly.  The military-industrial-cryptography complex rears its ugly head in the form of MD5 executives sitting on intelligence committees, and the CIA conducting surveillance, enhanced interrogations and assassinations against bcrypt supporters.  In fact, my life is probably in grave danger for merely bringing this to light.  If I disappear, you must keep the fire of revolution burning.  Do not forget what you saw here, brothers!  Do not go quietly into that night!



  • Isn't that illegal to criticize your governement ? Or just forbidden by company policy ?

    Anyway you'll probably end up in jail for that ! You anticapitalist fool !



  • @morbiuswilters said:

     You people depress me.  This is standard glibc.  It may be asstastic, but it's hardly a PHP problem.

     

    glibc = http://linux.die.net/man/3/crypt

     LINUX!!!!

     ARRGGGGGHHH HERESY!! BURN THE WITCH!


  • Garbage Person

     *sigh* Sometimes I wonder why the hell I try to make PHP that doesn't suck.

     

    Finished this thing and went to stick it on the customer's webhost.

     

    PHP defaults to 4.someshit (adjustable to 5.2), MySQL defaults to version 4.somejunk, adjustable to 5. No mysqli, no mcrypt and a host support team who wants to know why the hell I'm so concerned about "security" because they've "never been hacked"

    What year is it again, guys? Can I really not just fucking take it for granted that any random LAMP server is going to meet a given minimum capability level? Writing software for this stack seriously depresses me and I hate it.



  • Now I just figured why my company hosts ous client's websites on our servers.

    But thet dosent prevent customer stupidity



  • glibc has a potential excuse - C doesn't support such nice things as optional/variable parameters, and they were hacking this functionality into an existing API that they couldn't really go about changing. PHP's problem is that things are generally just direct mappings to the original API, rather than using the language's features to handle such insanity internally.

    I can see wanting to keep compatibility with code ported from C, but that doesn't mean you can't add a crypt_sane() or something that handles the API better.



  •  What's this $1$dollars$ASDFJK$ shit?



  • @Weng said:

    PHP defaults to 4.someshit (adjustable to 5.2)

    No it doesn't. What are you talking about? If you're going anywhere near PHP4 the Real WTF is your so-called brain.

    @Weng said:

    Can I really not just fucking take it for granted that any random LAMP server is going to meet a given minimum capability level?

    The other Real WTF is that you claim to be a developer yet don't have a clue how to install a simple LAMP server yourself.

    The final Real WTF is that whilst you clearly struggle with the basics of programming, you don't realise that the Real WTF is you. You might want to look into a career change.



  • @bertram said:

    If you're going anywhere near PHP4 the Real WTF is your so-called brain. The other Real WTF is that you claim to be a developer yet don't have a clue how to install a simple LAMP server yourself.

    The final Real WTF is that whilst you clearly struggle with the basics of programming, you don't realise that the Real WTF is you. You might want to look into a career change.

    Your post count is 1. I don't think you have this kind of flaming clout just yet.



  • @lolwtf said:

    glibc has a potential excuse - C doesn't support
    such nice things as optional/variable parameters

    Yep, that's why C had to import printf and scanf from C++.

    I'm sure glad Stroustrup did his thing when he did - I was just starting to learn C, then, so I did't have to suffer for long.



  • @dhromed said:

    @bertram said:

    If you're going anywhere near PHP4 the Real WTF is your so-called brain. The other Real WTF is that you claim to be a developer yet don't have a clue how to install a simple LAMP server yourself.

    The final Real WTF is that whilst you clearly struggle with the basics of programming, you don't realise that the Real WTF is you. You might want to look into a career change.

    Your post count is 1. I don't think you have this kind of flaming clout just yet.

    Plus he obviously meant that the WEB HOST offers 4.0 by default and makes you jump through hoops to get version 5. So your flaming is based on poor comprehension skills in the first place.

    BTW, there are a kajillion reasons not to install the server yourself, ranging from "I live in Iowa and there aren't any fat pipes" to "I'm working on behalf of a client and aren't responsible for their servers, just their website" to "specifically to piss-off bertram."



  • @morbiuswilters said:

    Who the fuck cares about hash
    collisions?

    Thank you for understanding that. I was really touched to hear about it. You don't know how much it means to me that a complete stranger I've never even heard of before recognizes that I care so very deeply about hash collisions. Of course, we don't see completely eye to eye - I really like SHA512 hashs (with salts, of course).



  • @morbiuswilters said:

    Big Crypto runs the biggest lobbying outfit in all of that miserable swamp known as Fort Meade.

     FTFY, oh, and yes, they both suck and blow



  • @morbiuswilters said:

    MD5 and SHA are not CPU-intensive enough to make brute force attacks infeasible against weak passwords
    Any decent hashing algo can be [link=http://en.wikipedia.org/wiki/Key_strengthening]made "CPU intensive enough"[/link].



  • @lolwtf said:

    C doesn't support such nice things as optional/variable parameters
     

    C supports variadic arguments.  Stop mouthing off when you don't have a clue what you are talking about.

     

    @lolwtf said:

    I can see wanting to keep compatibility with code ported from C, but that doesn't mean you can't add a crypt_sane() or something that handles the API better.

    There is.  It's called mcrypt.



  • @merreborn said:

    @morbiuswilters said:
    MD5 and SHA are not CPU-intensive enough to make brute force attacks infeasible against weak passwords
    Any decent hashing algo can be made "CPU intensive enough".

    Yes, which I've mentioned numerous times.  But 1) none of these half-assed, homegrown MD5 solutions people are talking about here use key stretching;  2) people should not be writing their own crypto routines, they should be using a tested, well-written library.  bcrypt is available in more languages than FreeBSD's MD5 key stretching, so it's my first suggestion.



  • @Who_the_Fuck said:

    Of course, we don't see completely eye to eye - I really like SHA512 hashs (with salts, of course).

    So.. you're an idiot.  Since you clearly don't know much about writing secure software, and because you foolishly ignore the advice of your betters, would you do us all a favor and post the names of any products or companies you've worked on or for so that we may avoid them?  Hell, they might be WTFy enough to earn you a couple of front-page posts around here.



  • Morbs, maybe try specifically explaining to them the difference between encryption and hashing.  I think that's what they're failing to understand... 

    I'd do it, except it would be much less funny.



  • @Xyro said:

    Morbs, maybe try specifically explaining to them the difference between encryption and hashing.  I think that's what they're failing to understand...
     

    You also should probably use small words, though I suppose that would also probably render the explaination less funny, nevermind.



  • @morbiuswilters said:

    @Who_the_Fuck said:
    Of course, we
    don't see completely eye to eye - I really like SHA512 hashs (with
    salts, of course).

    So.. you're an idiot. Since you clearly don't know much about writing
    secure software, and because you foolishly ignore the advice of your
    betters, would you do us all a favor and post the names of any products
    or companies you've worked on or for so that we may avoid them? Hell,
    they might be WTFy enough to earn you a couple of front-page posts
    around here.

    I see you clearly do *not* care about hash collisions. Bcrypt only outputs a 448 bit hash. Assuming that SHA512 is actually a good crypto algorithm other than the computational quickness you dislike so much, its 512 bit hash size should be less likely to have hash collisions. And, since one can't predetermine whether ones password has a less-secure hash collision, one basically needs to run a password crack on the hash of ones own password to secure against that. After all, one gets no benefit from having a password such as "Nobuddiez_GGunnaF1gge#zD*sa0O0t!" if it has a trivial collision such as 'hacked'.

    Well, I started my career at Initrode, but moved to Initech after a few years. Not being able to stand that sort of environment any longer, I tried a stint in academia - unfortunately at West Thomson-Friedman University. After that, I tried some startups and some small, family businesses. Despite many rumors to the contrary, I've never worked for Oracle.

    As far as providing fodder for this site - I've been browsing around on this site all day today, and, freakishly enough, many of the companies I've worked for are already documented here. I haven't seen any stories that documented a department I was working in at the time, and I haven't seen any that discussed my work product after I left. But still... I'm getting a bit creeped out by it all.


  • Garbage Person

    @bertram said:

    yet don't have a clue how to install a simple LAMP server yourself
    How cute. I have half a dozen of the things - and I'm sure as shit not going to sell space on them to a worthless contract client whose sole purpose is to keep me in food, internet and electricity.

     

    If anything, the only malfunctions on my part are that I hate writing PHP with every fiber of my being and yet allow myself to keep doing it, and that despite getting burned EVERY. SINGLE. TIME. I try to deploy something to a third party webhost, I always start off with the thought "Oh, that's only been standard practice and in the base install for a decade now. It's totally supported." and don't bother checking to see if they actually bother to provide minimum functionality

     For everyone else's amusement, here's the latest in my conversation with their support techs:

    Switching to mysqli library would effect all mysql users making it not possible..
    Yay for fundamental misunderstanding of the word 'add' (and the rules of grammar and punctuation, for that matter)! Unless the effect in question is "oh god they'll have access to an extra library! nooooooo!".



  • There is absolutely nothing in your manner or your approach that displays any kind of professionalism whatsoever.



  • @dhromed said:

    Your post count is 1. I don't think you have this kind of flaming clout just yet.

    Your post count is 4,532. I don't think you have much going on in your life just yet.


  • Garbage Person

    @bertram said:

    There is absolutely nothing in your manner or your approach that displays any kind of professionalism whatsoever.
    Perhaps because I'm bitching about how much I hate:

    1) An entire goddamn software stack
    2) $10/year webhosts

    ON THE INTERNET.

    And it's fucking 105 goddamn cuntpunching degrees in my office and I hate you for it.

     

    I'm not here to give you a complete play-by-play of my processes. I'm not here to braindump. I'm not here to network. I'm here primarily to bitch and a little bit to learn - which I've accomplished. I now know why crypt() is so braindead - because some retard thought there was a business case for porting C software to PHP, and I discovered mcrypt - which I now need to go back and rewrite out of the goddamn program along with goddamn mysqli at the expense spending time on things I actually enjoy doing (Lets see. Before this clusterfuck, I was going to spend today following up on some resumes, pull the dents out of my racecar, wash my race gear, and later tonight work on a personal software project. None of that is going to happen, though)



  • @Who_the_Fuck said:

    I see you clearly do *not* care about hash collisions. Bcrypt only outputs a 448 bit hash. Assuming that SHA512 is actually a good crypto algorithm other than the computational quickness you dislike so much, its 512 bit hash size should be less likely to have hash collisions. And, since one can't predetermine whether ones password has a less-secure hash collision, one basically needs to run a password crack on the hash of ones own password to secure against that. After all, one gets no benefit from having a password such as "Nobuddiez_GGunnaF1gge#zD*sa0O0t!" if it has a trivial collision such as 'hacked'.

    Having a hash collision in the 160-byte-or-so password space is damn near impossible.  It's certainly not the kind of concern anyone has, even with something like 128-bit MD5.  Hash collisions are a concern when building a message digest of some arbitrary-length data, such as a several MB file.  Considering how much effort it takes to generate a collision with lowly MD5, even when you can pad with plaintext with as many arbitrary bytes as you want, it's not a serious attack vector against hashed passwords.



  • @bertram said:

    There is absolutely nothing in your manner or your approach that displays any kind of professionalism whatsoever.

    Thank God somebody finally said it.  Weng's blatant unprofessionalism on TDWTF Forums has been a thorn in my side for some time.  Thank you.



  • @Weng said:

    And it's fucking 105 goddamn cuntpunching degrees in my office and I hate you for it.

    What's that in real degrees (Fahrenheit)?  Or Pretend-igrade degrees (for our Eurotrash friends)?

     

    @Weng said:

    I'm not here to give you a complete play-by-play of my processes. I'm not here to braindump. I'm not here to network. I'm here primarily to bitch and a little bit to learn - which I've accomplished. I now know why crypt() is so braindead - because some retard thought there was a business case for porting C software to PHP, and I discovered mcrypt - which I now need to go back and rewrite out of the goddamn program along with goddamn mysqli at the expense spending time on things I actually enjoy doing (Lets see. Before this clusterfuck, I was going to spend today following up on some resumes, pull the dents out of my racecar, wash my race gear, and later tonight work on a personal software project. None of that is going to happen, though)

    Is it not possible to compile mcrypt and mysqli as .so extensions, add them to your code directory and then load them in your php.ini?  You can even load them in your code directly by calling dl().



  • Yay another thread about the least important part of securing your website.

    I don't understand the obsession people have with this. There are a thousand things more important for security then hashing your passwords, yet it's the only thing this forum is capable of discussing apparently, at least on a regular basis that is.
    I'm just going to blame over awareness. People have been hammering on its importance too long and now it's the first thing anyone thinks about when thinking of security. A bit similar to SQL injection, which thankfully has died away a bit.

     

    On the note of servers. Unless it's a big site and you actually want a network partner with a fat SLA, you get a ~10 dollar VPS install a default LAMP, tweak it, run a automated update each week and bill them for it.
    Cheap shared hosting solutions are for consumers and graphic designer/ad agencies that want to install wordpress.



  • In the time wasted discussing cryptography we could have hunted down all of the criminals attempting to hack our passwords and sent them to Utah with a blindfold, match, and single cigarette.



  • @stratos said:

    I don't understand the obsession people have with this. There are a thousand things more important for security then hashing your passwords, yet it's the only thing this forum is capable of discussing apparently, at least on a regular basis that is.
    I'm just going to blame over awareness. People have been hammering on its importance too long and now it's the first thing anyone thinks about when thinking of security. A bit similar to SQL injection, which thankfully has died away a bit.

    I blame under awareness.  I agree that it's certainly not the most important part of security, but it's still important.  The problem is that with stuff like SQL injection, XSS, bad Unix perms, bad database passwords, etc.. most people seem to grasp the concepts involved.  Even when they've been doing it the wrong way, they tend to see why dropping variables into inline SQL is dangerous.  At best, they learn something and fix their mistakes.  At worst, they realize how foolish they would sound arguing about it and just keep their mouths shut, while still doing things in an insecure manner.

     

    Cryptography is highly-specialized, though, and somewhat tricky.  Normally, that's abstracted away by using standards, such as SSL.  Everyone on here knows if you want to secure a web page, you use SSL.  If somebody comes up with their own way to "encrypt" web pages, we all point and laugh and realize how stupid they are.  However, how many people on here actually have deep knowledge of SSL?  If SSL didn't exist as a standard and you had to roll your own encryption methods, how many people do you think would be on this forum arguing that single-pass DES is "secure enough"?  However, that kind of decision has been abstracted away from us ignorant programmers by standards.

     

    There is no real standard for hashing passwords.  And even worse, some of the older de facto standards are utter shit (crypt, LanMan).  Because there isn't a dominant technology standard that defines password hashing which can then be implemented in each language as a standard feature, we get a diverse ecosystem of shitty password hashing technologies.  And because people have just enough crypto knowledge to be dangerous, they get into idiotic arguments about hash collisions in a fucking password hashing algorithm.  It's nonsense, but there's no dominant way of doing things that makes it easy to identify the idiots and chastise them.

     

    How often have you seen arguments over the internals of SSL between generalist programmers?  I bet never.  How many times do you see these fucking threads about password hashing, where some bozo starts out with "OMG plaintext passwords iz unsecure I use md5 lol!", followed up by somewhat less of a bozo answering "OMG, u gots to use a salt dont u know n-e-thing???", followed by "u 2 are so dum!  u need to use sha1-plus-salt caz it is so much more securez than md5 which can have hash collisions.  i saw it on slashdot!!11"

     

    My point is: no, it's not the most important part of securing your software, but it's still important.  And the lack of a clear standard for password hashing makes it open season for diverging, idiotic ideas and results in a lack of consensus.  It's kind of the inverse of bikeshedding: most programmers (at least the moderately good ones, such as those who would bother reading TDWTF) know that stuff like SSL and SQL injection are solved problems, so there's no point in arguing.  But cryptography is just esoteric enough that every single programmer feels entitled to an opinion on the subject.  And due to a lack of standards (which results in a dearth of good cross-language password hashing libraries) most programmers (good or bad) have had to roll-their-own password hashing scheme at one point or another, which gives them extra incentive to defend their ignorant opinions to the grave.

     

    That's why I keep telling people: stop worrying about this.  Listen to the experts.  Use a standard, cross-language password hashing library written by crypto experts and guaranteed to be best-of-breed.  Do not roll your own.  I'm hardly an expert, I just happen to believe in listening to them.  And I have an understanding of the rationalizations behind good libraries like bcrypt, which allows me to see the massive flaws in something like MD5 + salt.



  • @Medezark said:

    In the time wasted discussing cryptography we could have hunted down all of the criminals attempting to hack our passwords and sent them to Utah with a blindfold, match, and single cigarette.

    What, and let the Mormons bore them to death with admonitions for smoking the "devil weed"?


  • Garbage Person

    @morbiuswilters said:

    Is it not possible to compile mcrypt and mysqli as .so extensions, add them to your code directory and then load them in your php.ini?  You can even load them in your code directly by calling dl().
    Morbs, if for some unfathomable reason I find myself in the reprehensible position of being in the same place as you, I owe you a beer. Either your googlefu is better than mine or you just know way too much random shit.

    These guys don't have local inis, but they did leave dl enabled. mysqli was still a bit of a crapshoot because it depends on the mysql client lib being in the Windows (!?!? the first notice I got that this was a Windows server was when an error message spat out a location on the D drive) PATH, but it's working.



  • @Weng said:

    Either your googlefu is better than mine or you just know way too much random shit.

    I've done hardcore PHP development for 5 years now.  Sadly, I know way too much about working around the defects of PHP and the environments and configurations it is often run under.


Log in to reply