“2. When you login, the password is encrypted with digestive algorithms like md5. Furthermore, to prevent brute force of md5 with precomputed table, the salt/seed is added to the password.”

Client-side hashing (using a JS implementation of MD5)? Quite impressive, and secure too.

“2. We don’t need the password to login, we just take the hash, username, and seed ( that we obtain by some ways ), then we can send it to the server like how legitimate logins are made, the server would acknowledge the login, and we are in.

To fix no. 2, the server should set a timeout for each seed.”

This would break the “Remember Me” functionality, if there is one.

“To fix it, the search page should convert special characters, such as “‘”, “:”, “;”, into escaped form, eg: “\’” ( Examples in this sentense is without the double quotation — ” )”

mysql_real_escape_string() + htmlentities() every single user inputs (If this was PHP + MySQL)

Anyway, I don’t think it’s really a good idea to keylog an IT assistant – I mean, there should at least be some respect for him since he’s a staff of your college. Unless, of course, he’s a jackass who tried to impress you and everyone else about his “secure password” when it is just a factory-default password, which I don’t think so.

And seems like you’re speaking proper English (just a few spelling errors so far) after all. Try removing that “pardon me” line in your CE forum signature.

I’m curious here – You’re quite all-rounded in the programming field (ASP, SQL, C/C++); just how many programming languages have you picked up till now?

– LatecomerX

well maybe i am.

but at least i know how to write basic game programmes like tictactoe and checkers on visual basic.