Menu
Probably a very newbie question but, Ive been reading around and have found some difficulty in understanding the creation and storage of passwords. From what i've read md5/hash passwords are the best ways to store them in a database. However, how would I go about creating those passwords in the first place?
So say I have a login page with user bob, and password bob123 - how will I 1. get bobs password into the database to begin with (hashed) 2. how do I retrive and confirm the hashed password?
Thanks
265
SELECT MD5('w3resource'); Explanation: The above MySQL statement returns MD5 value of w3resource. The return value is b273cb2263eb88f61f7133cd308b4064.
MySQL stores credentials in the user table in the mysql system database. Operations that assign or modify passwords are permitted only to users with the CREATE USER privilege, or, alternatively, privileges for the mysql database ( INSERT privilege to create new accounts, UPDATE privilege to modify existing accounts).
The MySQL MD5 function is used to return an MD5 128-bit checksum representation of a string. The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. The value returned by the MD5 function is a binary string of 32 hexadecimal digits, or NULL if the argument was NULL.
The password hashes are stored in the user table of the mysql database. The table files themselves are typically stored in a tree structure under /var/lib/mysql , but that location can be modified by build options or run-time configuration.
Edit 2017/11/09: Be sure to take a look at the answer from O Jones.
First off MD5 isn't the greatest hashing method you could use for this try sha256 or sha512
That said lets use hash('sha256') instead of md5() to represent the hashing part of the process.
When you first create a username and password you will hash the raw password with some salt (some random extra characters added to each password to make them longer/stronger).
Might look something like this coming in from the create user form:
$escapedName = mysql_real_escape_string($_POST['name']); # use whatever escaping function your db requires this is very important. $escapedPW = mysql_real_escape_string($_POST['password']); # generate a random salt to use for this account $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); $saltedPW = $escapedPW . $salt; $hashedPW = hash('sha256', $saltedPW); $query = "insert into user (name, password, salt) values ('$escapedName', '$hashedPW', '$salt'); "; Then on login it'll look something like this:
$escapedName = mysql_real_escape_string($_POST['name']); $escapedPW = mysql_real_escape_string($_POST['password']); $saltQuery = "select salt from user where name = '$escapedName';"; $result = mysql_query($saltQuery); # you'll want some error handling in production code :) # see http://php.net/manual/en/function.mysql-query.php Example #2 for the general error handling template $row = mysql_fetch_assoc($result); $salt = $row['salt']; $saltedPW = $escapedPW . $salt; $hashedPW = hash('sha256', $saltedPW); $query = "select * from user where name = '$escapedName' and password = '$hashedPW'; "; # if nonzero query return then successful login you have to reason in terms of hased password:
store the password as md5('bob123'); when bob is register to your app
$query = "INSERT INTO users (username,password) VALUES('bob','".md5('bob123')."');
then, when bob is logging-in:
$query = "SELECT * FROM users WHERE username = 'bob' AND password = '".md5('bob123')."';
obvioulsy use variables for username and password, these queries are generated by php and then you can execute them on mysql
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
