CODEWITHSUNDEEP
phpmysqlsqlsecurityhash
Kudlas
Kudlas

Reputation: 659

Should I create hash using database or php

I am creating website with login. I have salted hash of password, my question is - Is it better to create hash in php, or is it better to create it within sql query?

SQL

INSERT INTO users (USER, PASS) VALUES ("foo",SHA1( CONCAT(  "salt", MD5( 123456 ) ) ) )

PHP

$pass = sha1( "salt" . md5( 123456 ) );
$link->query("INSERT INTO users (USER, PASS) VALUES ("foo","$pass");

And its not only about creating user, it could be checking when signing in.

The thing is, I've heard that everything that happens in database is quicker than in php, but I am afraid to send sql with clearly visible password (security reasons).

Upvotes: 0

Views: 269

Answers (4)

CD001
CD001

Reputation: 8472

Technically you can quite securely pass unencrypted passwords from the application to the database server, even if they're on different machines - it's all TCP/IP and can therefore be encrypted if required ... however, why would you? The overhead for generating your hash in the application is minimal (it can even be more efficient depending on what you're doing) and it provides far greater flexibility and ease of use.

Instead of creating a "roll your own" solution you've got access to pre-existing libraries/function within PHP itself, such as Hash which allows you to select the algorithm you want to use.

If you really feel the need to get full-on tinfoil hat you could encrypt the information in the database as well with AES_ENCRYPT although not anything you actually want to search or index on.

Upvotes: 1

symcbean
symcbean

Reputation: 48357

I've heard that everything that happens in database is quicker than in php

No. Usually bulk operations (i.e. operations affecting multiple rows) are much faster in a rlational database. However webservers and application servers (i.e. PHP) are easy to scale horizontally. But databases don't scale well - hence even though it's often far from 'efficient' performing bulk operations at the application tier is a more scalable solution (facebook sort their query results in PHP rather than on the database).

So, in short, which is better depends on issues you've not addressed in your question.

If you absolutely need the fastest solution then you should measure it yourself

BTW generating a hash of a hash is just burning CPU cycles - 

SHA1( CONCAT(  'salt', MD5( 123456 ) ) )

is no more secure than

SHA1( CONCAT(  'salt', '123456') )

Update

One consideration did occur to me: doing the encryption in the database potentially widens the attack surface (e.g. plain text password potentialy appearing in logs).

Upvotes: 0

Madbreaks
Madbreaks

Reputation: 19529

You listed a valid security concern, so go ahead and handle it on the PHP side. Unless you're handling a very large amount of traffic you don't need to worry about the tiny performance difference between the two.

Upvotes: 0

Jack
Jack

Reputation: 2830

You should hash the password as early as is feasible. Definitely do it in PHP, not SQL.

You should not use md5 to hash passwords. It is outdated and insecure. Here is a reference on modern secure password storage: https://crackstation.net/hashing-security.htm#properhashing

Upvotes: 0

Related Questions