Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Unit testing with hashed passwords

Tags:

phpunit

zend-framework

Right now I'm using the Zend Framework and messing around with that and phpunit. Here is my dilemma.

When I create a user I hash the password in the user table. I add two salts, a static one from the application and one that is randomly generated. I use the database SHA function and then UNHEX that to store the password in a binary column. In order to tell the database how to hash the password I use a Zend_Db_Expr like so :

protected function _createPasswordDbExpression( $password )
{

    $quoted = $this->getDbTable()->getAdapter()->quoteInto( 'UNHEX( SHA1( ? ) )', $password );
    $binaryPassword = new Zend_Db_Expr( $quoted );

    return $binaryPassword;
}

Up till now I've been using xml datasets to specify the expected results but now, with the hashed passwords, I don't know what to do.

I see a solution to this but there has to be a better way.

I could prehash a password, or passwords, and only use that during my testing and in my xml files.

Is there any other solution that might be better and more testable?

I don't know exactly how this binary column would affect things when phpunit tries to insert a "hashed" password directly.

like image 999
Jerry Saravia Avatar asked Feb 24 '23 15:02

Jerry Saravia

1 Answers

First off, never do that. Anyone with access to the database query history can see the raw passwords (they will be stored in the binary logs). Instead, hash them in the application so that the raw passwords are destroyed. By doing that, your database functionality just becomes a value store rather than something that needs unit testing.

Once you make it a PHP function, it's trivial to unit test (simply use any one of the number of the standard test vectors to ensure it was hashed correctly.

However, I would highly suggest using a salt and a derivation function for storing the password securely. You can see why in this answer. And as far as the exact algorithm, I'd suggest implementing PBKDF2. I have a PHP implementation that you could reverse engineer if you'd like here (the library is not production ready yet, but that algorithm is).

Finally, I'd suggest using one of the SHA2 algorithms instead of SHA1 (either SHA256 or SHA512 should suffice well). It's more collision resistant, and tends to be seen as being significantly stronger...

like image 107
ircmaxell Avatar answered Mar 29 '23 19:03

ircmaxell
Sign in to Comment

Related questions

Zend Framework with Handwritten Font
PHP Zend Framework 2 - Trouble rendering form - "form plugin not found"
Dynamically include .js files from Zend_Controller_Action?
Zend Framework Filter Input StripTags and "<3"
Zend Framework: Zend_Oauth and Zend_Service_Twitter
Does CakePHP play nice with Oracle? How about other frameworks? [closed]
How to set the default checked value of a Zend_Form Radio Element?
How to set the message of the NotEmpty validator on a Zend_Form_Element?
what idea is behind Zend Framework Frontcontroller/dispatcher
Running Zend Framework on PHP 5.1.6 - patch or fix for ksort()?
get current controller
how to name an uploaded file in zend framework
"Lost connection to MySQL server" when trying to connect to remote MySQL server
Programming problem for potential Zend Framework devs
Zend_View::_run(), what does line 106 do?
Integrating Zend Framework 1.11 with MongoDB using Doctrine ODM

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!