I’ve been using portable PHP password hashing framework to hash password these days. I was wondering if it is safe the directly pass $_POST[‘password’] into CheckPassword method?
<?php
require 'PasswordHash.php';
// get hashed password from database
$pwHash = new PasswordHash(8, FALSE);
$isMatch = $pwHash->CheckPassword($_POST['password'], $hasedPassword);
I’m a little confused as to what this “framework” is doing then. There could only possibly be a few lines of code behind that function to encrypt / salt the provided pass. Actually if your pulling the hashed pwd yourself, then it could only be a static salt which is garbage anyways.
Short answer, yes it should be fine to pass POST directly to that script. I’d have a look around at some threads / pages on this topic though. Since your concerned with security, you’ll gain experience + more security from writing something yourself after learning a bit more on the topic. There’s not too much to it
Eh, thanks but no thanks. Unless its retrieving my salt, hash, user input, checking user input, and then on success resalting and rehashing, I’m not interested. Even if it did all of that, we are only talking about 10-15 lines of code that I would much rather write myself.