Sam
Reputation: 85
Salting passwords?
I have a working register and login script, but I want to salt the passwords to make sure they are secure against hackers and sql injections
How do I do this? This is my code as follows; thanks HTML
<form method="post">
<input type="text" name="newUsername" placeholder="Username"/>
<input type="password" name="newPassword" placeholder="Password"/>
<input type="submit" name="signUp" value="Sign Up!"/>
</form>
<form method="post">
<input type="text" name="Username" placeholder="Username"/>
<input type="password" name="Password" placeholder="Password"/>
<input type="submit" name="LogIn" value="Log In"/>
</form>
Then PHP:
if($_POST['signUp']) {
$username = $_POST['newUsername'];
$pass = $_POST['newPassword'];
$signedUp = SignUp($Username,$pass);
echo $signUpCode[$signedUp]; // See the SignUp function in prefunc.php
} elseif($_POST['LogIn']) {
$username = $_POST['Username'];
$password = $_POST['Password'];
$loggedIn = LogIn($username,$password);
echo $logInCode[$loggedIn];
}
$signUpCode = Array(
"-3"=>"Logged in already - can't sign up!",
"-2"=>"Username already exists!",
"-1"=>"Failed to sign up - please try again!",
"1"=>"Signed up, and logged in successfully!"
);
function SignUp($Username,$Password) {
$Username = preg_replace("/[^a-zA-Z0-9]/","",$Username);
$u = mysql_query("SELECT * FROM Users WHERE LOWER(Username)=LOWER('$Username')");
if(getCurrentId()){
return -3;
}
if(!mysql_num_rows($u)) {
mysql_query("INSERT INTO Users SET Username='$Username',Password=''$Password") or die(mysql_error());
$u = mysql_query("SELECT * FROM Users WHERE LOWER(Username)=LOWER('$Username')");
if(mysql_num_rows($u)) {
LogIn($Username,$Password);
return 1;
} else {
return -1;
}
}
return -2;
}
Upvotes: 0
Views: 80
Answers (1)
Mike Brant
Reputation: 71384
A couple of notes:
- You need to consider using
password_hash()andpassword_verify()for this purpose. These are the best "out of the box" functions in PHP for password hashing
Usage example:
$password_hash = password_hash($password, PASSWORD_DEFAULT);
$query = "INSERT INTO users (Username, Password) VALUES ('{$username}', '{$password_hash}')";
- There should be no reason whatsoever to first check the existence of a user before trying to insert one. As long as you have a unique index on your Username field, the insert will just fail if it is duplicate Username. This saves you an extra query against your DB every time you try to create a user. You also should not be messaging a user that a username already exists, as this is bad security practice. The user insert query should just succeed or fail, for cases where failure is due to duplicate key on insert, you should not care.
- You should not be using
mysql_*functionality for anything. This is deprecated functionality. UsemysqliorPDO. - Along with using
mysqliorPDOyou should be using prepared statements with bound parameters. Currently your code is subject to SQL injection as you are doing nothing to escape the user input before trying to use it in your query. Very, very bad practice.
Using a parametrized prepared statement, your query would look something like:
$query = "INSERT INTO users (Username, Password) VALUES (:username, :password_hash)";
You would then prepare and execute this. I am not going to go into detail here as there are hundred of thousands of examples on the web of how to do this.
Upvotes: 1
Related Questions
- PHP Salt and hashing of password
- Salted password security
- Hashing and Salting passwords from users using PHP
- PHP/MYSQL Authenticate user login using salt password?
- Salting passwords PHP, MySQL
- Salting Passwords and in particular about the database and retrieving the password
- Questions about salting passwords
- PHP and MySQL Salt Security Question
- Salting in PHP and MySQL
- Salting my hashes with PHP and MySQL