Date: 02/20/05 (PHP Community)    Keywords: php, database, java, security

In building my nice little blog system, I'm running into the following two problems:

Problem 1:
Currently I cannot run image magick as my wonderous site admin has not installed it.  This is - apparently - preventing me from using Text_CAPTCHA from PEAR.  I need a captcha solution that does not require said image manipulation libraries.  Alternatively, if someone knows of a way I can install image magick into my userspace, and NOT have to convince my admin to recompile php, please let me know.

Problem 2:

Additionally, my authentication for administration interface is currently being done via plaintext passwords.  This is - for obvious reasons - insecure.  I was attempting to find a solution using a client-side javascript that would create an md5 hash of the password and a randomly generated "key", send same to php processing form via post, and then the php form processor would use the same randomly generated "key" (I'm currently using "mt_rand()") and the user's password (retreived from the database), combine/hash and compare.  I ran into problems with transmitting the "key" to client side, and maintaining the SAME key (without sending it back, in the clear) on the server side.
The major problems I'm running into, though is the transmission of the key, no matter how I find a way to do it, it still shows up clearly in going to the client side ($rnd = mt_rand() will still show the number client-side when echo $rnd, and therefore it is being clearly transmitted).  Hmm, perhaps I could hash it server side, and then reverse the hash?  But md5 hashes are one-way, yes?  I'd need a crypt for that, and despite my best tries haven't located a good one. ARRGH.
Security is a bitch when you're not using pre-written. ...ESPECIALLY when you're a beginner.

Source: http://www.livejournal.com/community/php/264266.html