Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP salt and hash SHA256 for login password

Tags:

I've made encrypting of the password in my register script and they are stored in the database, and I have to use them to login, so I would want to use the unencrypted ones to login. I've read some of the threads in here but nothing is helping me. How can I add it in my login.php? The salt is also stored in the database.

This is my register.php script for encrypting

$hash = hash('sha256', $password1);  function createSalt() {     $text = md5(uniqid(rand(), TRUE));     return substr($text, 0, 3); }  $salt = createSalt(); $password = hash('sha256', $salt . $hash);

and this is my login.php with season

//Create query $qry="SELECT * FROM member WHERE username='$username' AND password='$password'"; $result=mysql_query($qry);  //Check whether the query was successful or not if($result) {     if(mysql_num_rows($result) > 0) {         //Login Successful         session_regenerate_id();         $member = mysql_fetch_assoc($result);         $_SESSION['SESS_MEMBER_ID'] = $member['id'];         $_SESSION['SESS_FIRST_NAME'] = $member['username'];         $_SESSION['SESS_LAST_NAME'] = $member['password'];         session_write_close();         header("location: profile.php");         exit();     }     else {         //Login failed         //error message      } else {     die("Query failed"); }
like image 475
Simon_says Avatar asked Dec 24 '13 16:12

Simon_says

People also ask

Can I use SHA256 for passwords?

According to the crackstation link you posted, SHA256 is a cryptographic hash function and is suitable for passwords due to low collision probability.

Does PHP support SHA256?

PHP offers the built-in function hash() . The first argument to the function is the algorithm name (you can pass algorithm names like sha256, sha512, md5, sha1, and many others).

Does SHA256 have salt?

This salt is unique to each user, and is stored in the database along with the username and salted-hashed password. An example username-password database using the SHA256 hashing function with a salt.

What hash algorithm is used for password authentication?

Two of the most common hashing algorithms you may have come across are MD5 and the SHA-* family of algorithms (SHA-1, SHA-2, SHA-3), but there are several reasons not to use these.

What is the password_hash () function in PHP?

The password_hash () function creates a secure hash of your password. This is how you can use it: $password = 'my secret password'; $hash = password_hash($password, PASSWORD_DEFAULT); The result hash from password_hash () is secure because:

What are PHP salts and hashes?

A cryptographic salt is a data that is applied during the hashing process in order to eliminate the possibility of the output being looked up in a list of pre-calculated pairs of hashes and their input. Essentially, PHP salts and hashes are cryptographic tools that help secure your site’s login . Was this post helpful?

Why does password_hash () create a salted hash?

The reason is that password_hash () creates salted hashes. Salted hashes include a random string, named “salt”, as a protection against rainbow tables and dictionary attacks. Therefore, every hash will be different even if the source password is the same.

Can SHA512 be used to create password hashing functions?

Some people have used sha512 as a building block to create password hashing functions, but nowadays the recommended approach is "use bcrypt and keep an eye on scrypt". Highly active question.

2 Answers

These examples are from php.net. Thanks to you, I also just learned about the new php hashing functions.

Read the php documentation to find out about the possibilities and best practices: http://www.php.net/manual/en/function.password-hash.php

Save a password hash:

$options = [     'cost' => 11, ]; // Get the password from post $passwordFromPost = $_POST['password'];  $hash = password_hash($passwordFromPost, PASSWORD_BCRYPT, $options);  // Now insert it (with login or whatever) into your database, use mysqli or pdo!

Get the password hash:

// Get the password from the database and compare it to a variable (for example post) $passwordFromPost = $_POST['password']; $hashedPasswordFromDB = ...;  if (password_verify($passwordFromPost, $hashedPasswordFromDB)) {     echo 'Password is valid!'; } else {     echo 'Invalid password.'; }
like image 156
andreas Avatar answered Oct 25 '22 00:10

andreas

According to php.net the Salt option has been deprecated as of PHP 7.0.0, so you should use the salt that is generated by default and is far more simpler

Example for store the password:

$hashPassword = password_hash("password", PASSWORD_BCRYPT);

Example to verify the password:

$passwordCorrect = password_verify("password", $hashPassword);

like image 20
anguswild Avatar answered Oct 25 '22 01:10

anguswild
Sign in to Comment

Related questions

PowerShell Parameter list of values
SKAction how to combine withKey and completion
iTunes Connect - Get active user installs by app version
Using underscore with jshint
Example and explanation: Android (Studio) Login Activity Template generated activity
How do I use momentsjs in Google Apps Script?
Custom authorization attribute not working in WebAPI
Why does Malloc() care about boundary alignments?
Installing Ruby using rbenv on Ubuntu 14.04 virtualbox hangs
How to assign an array to a variable in an Ansible-Playbook
Entity Framework duplicate object and all child properties
ActiveAdmin actions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!