SitePoint Sponsor

User Tag List

Results 1 to 14 of 14

Thread: Encode

  1. #1
    SitePoint Wizard
    Join Date
    May 2012
    Posts
    1,107
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Post Encode

    Hi, I Need some help for my registration i don't know how to put security on password or username, how can i store password in database that the password will be encoded that cannot be read by human or something like they call hash?can you help me please how can i do this hashing my password.or aside from hashing what are the security to do.

    Thank you in advance.

  2. #2
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,166
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    You can start with http://phpmaster.com/password-hashing-in-php/

    Then I'd recommend searching these forums, as there has been a LOT of discussion on this, from using md5 with a random salt, sha, and much more.

  3. #3
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,182
    Mentioned
    66 Post(s)
    Tagged
    2 Thread(s)
    Quick rundown for your googling:

    Use proper PDO sanitize technique to avoid sql injection
    Always use password salting on top of your encryption (such as md5)
    Always try to use a dynamic salt, not a static one that is shared across all accounts

  4. #4
    SitePoint Wizard
    Join Date
    May 2012
    Posts
    1,107
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    K.Wolfe Hi,

    Thank you for this i will try to google on this.

  5. #5
    SitePoint Wizard
    Join Date
    May 2012
    Posts
    1,107
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Hi cpradio, thank you for this, but can i ask which is better to use md5 or the sha family ?

  6. #6
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,166
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    With a random salt, it doesn't really matter.

    However, the sha variants have not been scrutinized as much as md5 to my knowledge.

  7. #7
    SitePoint Wizard
    Join Date
    May 2012
    Posts
    1,107
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Post

    Quote Originally Posted by cpradio View Post
    You can start with http://phpmaster.com/password-hashing-in-php/

    Then I'd recommend searching these forums, as there has been a LOT of discussion on this, from using md5 with a random salt, sha, and much more.

    Hi cpradio, I am having problem on this after i successfully registered,I have no idea how can i verify the password when i am going to log-in.can you help me please

    Code:
    include_once("connectiondb.php");
    
    if(isset($_GET['register']))
    {
          $username = $_GET['user'];
          $password = $_GET['pass'];
          $firstname = $_GET['fname'];
          $lastname = $_GET['lname'];
       
     
        $salt1="******************";
        $salt2="*******************";
    
    
    
     try{   
    	     $sql = "INSERT INTO reg (username,password,firstname,lastname)
    					  values(?,?,?,?,?,?)";
    				$cmd = $db->prepare($sql);
    				$cmd ->execute(array($username,hash('sha256',$salt1.$password.$salt2),$firstname,$lastname));
    
    
                    echo "success";
                    $db = null;
    					
    
    
    	   }
       catch(PDOException $e)
       {
         echo $e->getMessage();
    
    	
       }	   
    
    }
    Last edited by cpradio; Mar 14, 2013 at 16:56. Reason: Masked salts

  8. #8
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,166
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    You would perform the hash('sha256',$salt1.$password.$salt2) process again to the password entered by the user, then provide that in your WHERE clause

    PHP Code:
    $password $_POST['password'];

     try{   
             
    $sql "SELECT * FROM reg WHERE username = ? AND password = ?";
                    
    $cmd $db->prepare($sql);
                    
    $cmd ->execute(array($username,hash('sha256',$salt1.$password.$salt2)));

                    
    // verify one row is returned to report success!
                    
    echo "success";
                    
    $db null;
                        


           }
       catch(
    PDOException $e)
       {
         echo 
    $e->getMessage();

        
       } 
    Also, since you had the $salt1 and $salt2 defined, you may want to change those (which will break your currently registered users).

  9. #9
    SitePoint Wizard
    Join Date
    May 2012
    Posts
    1,107
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    You would perform the hash('sha256',$salt1.$password.$salt2) process again to the password entered by the user, then provide that in your WHERE clause

    PHP Code:
    $password $_POST['password'];

     try{   
             
    $sql "SELECT * FROM reg WHERE username = ? AND password = ?";
                    
    $cmd $db->prepare($sql);
                    
    $cmd ->execute(array($username,hash('sha256',$salt1.$password.$salt2)));

                    
    // verify one row is returned to report success!
                    
    echo "success";
                    
    $db null;
                        


           }
       catch(
    PDOException $e)
       {
         echo 
    $e->getMessage();

        
       } 
    Also, since you had the $salt1 and $salt2 defined, you may want to change those (which will break your currently registered users).

    Hi cpradio, It's working thank you so much.

    Also, since you had the $salt1 and $salt2 defined, you may want to change those (which will break your currently registered users)
    you mean not to do static $salt?

  10. #10
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,166
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    No, I mean, your original post contained the salts you were using thus making your hash useless (if a search engine picked it up). So I strongly recommend changing it.

    Although, I also recommend using a more dynamic salt, something like so would be simple, if you opt to use any of the other fields I listed, that will make the login a bit more complex :

    PHP Code:
    $salt1 "this is a static salt of my own";
    $salt2 strtolower($username);
    hash('sha256'$salt1.$password.$salt2
    This way each user's hash will be different because of the second salt. If you have other static pieces of information stored in your reg table, you may want to consider using those too (date of birth, email address, date registered). Just keep in mind, if the user wishes to change any of those fields used in your salt, then you will need to force them to re-enter their password (so you can generate the new salt) or to reset their password.

  11. #11
    SitePoint Wizard
    Join Date
    May 2012
    Posts
    1,107
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thank you cpradio for pointing me in the right way.

  12. #12
    SitePoint Wizard
    Join Date
    May 2012
    Posts
    1,107
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Is it okay to generate uniquid as my salt?

  13. #13
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,166
    Mentioned
    153 Post(s)
    Tagged
    0 Thread(s)
    only if you store it somewhere (on the reg table as a column for each user for example). As you need to be able to reproduce the salt later for login.

  14. #14
    SitePoint Wizard
    Join Date
    May 2012
    Posts
    1,107
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thank you


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •