jemz — 2013-02-26T13:53:46-05:00 — #1
Hi, I Need some help for my registration i don't know how to put security on password or username, how can i store password in database that the password will be encoded that cannot be read by human or something like they call hash?can you help me please how can i do this hashing my password.or aside from hashing what are the security to do.
Thank you in advance.
cpradio — 2013-02-26T14:16:14-05:00 — #2
You can start with http://phpmaster.com/password-hashing-in-php/
Then I'd recommend searching these forums, as there has been a LOT of discussion on this, from using md5 with a random salt, sha, and much more.
kylewolfe — 2013-02-26T14:30:24-05:00 — #3
Quick rundown for your googling:
Use proper PDO sanitize technique to avoid sql injection
Always use password salting on top of your encryption (such as md5)
Always try to use a dynamic salt, not a static one that is shared across all accounts
jemz — 2013-02-27T09:57:24-05:00 — #4
Thank you for this i will try to google on this.
jemz — 2013-02-27T09:58:31-05:00 — #5
Hi cpradio, thank you for this, but can i ask which is better to use md5 or the sha family ?
cpradio — 2013-02-27T10:56:44-05:00 — #6
With a random salt, it doesn't really matter.
However, the sha variants have not been scrutinized as much as md5 to my knowledge.
jemz — 2013-03-14T18:50:13-04:00 — #7
Hi cpradio, I am having problem on this after i successfully registered,I have no idea how can i verify the password when i am going to log-in.can you help me please
$username = $_GET['user'];
$password = $_GET['pass'];
$firstname = $_GET['fname'];
$lastname = $_GET['lname'];
$sql = "INSERT INTO reg (username,password,firstname,lastname)
$cmd = $db->prepare($sql);
$db = null;
cpradio — 2013-03-14T18:58:33-04:00 — #8
You would perform the hash('sha256',$salt1.$password.$salt2) process again to the password entered by the user, then provide that in your WHERE clause
$password = $_POST['password'];
$sql = "SELECT * FROM reg WHERE username = ? AND password = ?";
$cmd = $db->prepare($sql);
// verify one row is returned to report success!
$db = null;
Also, since you had the $salt1 and $salt2 defined, you may want to change those (which will break your currently registered users).
jemz — 2013-03-14T20:19:16-04:00 — #9
Hi cpradio, It's working thank you so much.:)
Also, since you had the $salt1 and $salt2 defined, you may want to change those (which will break your currently registered users)
you mean not to do static $salt?
cpradio — 2013-03-15T07:16:04-04:00 — #10
No, I mean, your original post contained the salts you were using thus making your hash useless (if a search engine picked it up). So I strongly recommend changing it.
Although, I also recommend using a more dynamic salt, something like so would be simple, if you opt to use any of the other fields I listed, that will make the login a bit more complex :):
$salt1 = "this is a static salt of my own";
$salt2 = strtolower($username);
This way each user's hash will be different because of the second salt. If you have other static pieces of information stored in your reg table, you may want to consider using those too (date of birth, email address, date registered). Just keep in mind, if the user wishes to change any of those fields used in your salt, then you will need to force them to re-enter their password (so you can generate the new salt) or to reset their password.
jemz — 2013-03-15T10:21:08-04:00 — #11
Thank you cpradio for pointing me in the right way.
jemz — 2013-03-15T10:21:42-04:00 — #12
Is it okay to generate uniquid as my salt?
cpradio — 2013-03-15T10:22:32-04:00 — #13
only if you store it somewhere (on the reg table as a column for each user for example). As you need to be able to reproduce the salt later for login.
jemz — 2013-03-15T11:19:23-04:00 — #14