SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Member
    Join Date
    Sep 2012
    Location
    Dhaka, Bangladesh
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Is it safe? #phpass

    I've been using portable PHP password hashing framework to hash password these days. I was wondering if it is safe the directly pass $_POST['password'] into CheckPassword method?
    PHP Code:
    <?php
        
    require 'PasswordHash.php';
        
        
    // get hashed password from database
        
        
    $pwHash = new PasswordHash(8FALSE);
        
        
    $isMatch $pwHash->CheckPassword($_POST['password'], $hasedPassword);

  2. #2
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,182
    Mentioned
    67 Post(s)
    Tagged
    2 Thread(s)
    Just curious, where are you getting $hasedPassword from that you are passing into CheckPassword()?

  3. #3
    SitePoint Member
    Join Date
    Sep 2012
    Location
    Dhaka, Bangladesh
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by K. Wolfe View Post
    Just curious, where are you getting $hasedPassword from that you are passing into CheckPassword()?
    From database.

  4. #4
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,182
    Mentioned
    67 Post(s)
    Tagged
    2 Thread(s)
    I'm a little confused as to what this "framework" is doing then. There could only possibly be a few lines of code behind that function to encrypt / salt the provided pass. Actually if your pulling the hashed pwd yourself, then it could only be a static salt which is garbage anyways.

    Short answer, yes it should be fine to pass POST directly to that script. I'd have a look around at some threads / pages on this topic though. Since your concerned with security, you'll gain experience + more security from writing something yourself after learning a bit more on the topic. There's not too much to it

    EDIT: For a long winded discussion that didn't really get us anywhere... http://www.sitepoint.com/forums/show...=talk+security Some interesting things came up there anyways.

  5. #5
    SitePoint Member
    Join Date
    Sep 2012
    Location
    Dhaka, Bangladesh
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by K. Wolfe View Post
    I'm a little confused as to what this "framework" is doing then.
    I think it's worth talking a peek. http://www.openwall.com/phpass/

    And thanks for sharing that thread. Gonna read it in the morning.

  6. #6
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,182
    Mentioned
    67 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by ayonkhan View Post
    I think it's worth talking a peek. http://www.openwall.com/phpass/

    And thanks for sharing that thread. Gonna read it in the morning.
    Eh, thanks but no thanks. Unless its retrieving my salt, hash, user input, checking user input, and then on success resalting and rehashing, I'm not interested. Even if it did all of that, we are only talking about 10-15 lines of code that I would much rather write myself.

  7. #7
    Non-Member
    Join Date
    Oct 2007
    Posts
    363
    Mentioned
    11 Post(s)
    Tagged
    0 Thread(s)
    If you are using php 5.3.7 or above, try this: https://github.com/ircmaxell/password_compat

  8. #8
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,311
    Mentioned
    19 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by ayonkhan View Post
    I was wondering if it is safe the directly pass $_POST['password'] into CheckPassword method?
    Yes, that's safe.
    "First make it work. Then make it better."


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •