Reputation: 387
SHA256 salt with PHP and MySQL - Insert error
I'm using the following code to salt and hash passwords in a MySQL database:
<?php
function make($string, $salt = '') {
return hash('sha256', $string . $salt);
}
function salt($length) {
return mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
}
$salt = salt(32);
$password = make('password', $salt);
?>
However when I attempt to insert the generated salt into the database, there are some cases where this error occurs:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ÜöOòƒ·¡]ŽÖ', 1)' at line 1
I assume that is because of unrecognized characters being generated. What would be a solution for this?
Upvotes: 0
Views: 638
Answers (1)
Reputation: 360702
You're inserting raw binary garbage. That will naturally (and semi-randomly) contain SQL metachatacters, like a '. This means your query is vulnerable to sql injection attacks.
You don't show any of your actual PHP code, but you should either be using a prepared statement, or doing manual escaping, e.g.
$stmt = mysqli_prepare($conn, "INSERT .... (password_hash) VALUES (?)");
$stmt->execute(array($raw_hash));
or
$quoted = mysql_real_escape_string($raw_hash);
$sql = "INSERT ... (password_hash) VALUES ('$quoted')";
Alternatively, you could encode that hash string, e.g. use base64, so that the encoded hash becomes a relatively harmless string. But even then you should be using proper query construction techniques.
Upvotes: 3
Related Questions
- Insert fails in phpMyAdmin, but works when using MySQL directly
- PHP salt and hash SHA256 for login password
- PHP md5 + salt error executing
- PHP Hashing Login Issue
- PHP SHA256 and Salt won't work
- MySQL SHA() doesn't work
- Using Hash and Salt with MYSQL table
- problem with passwords using sha256
- Submitting to Mysql using Php with Salt&MD5
- Salting my hashes with PHP and MySQL