|
PHP - Mysql Password
I was just wondering what is the best way to handle passwords using mysql and php. For example if a user is registering (creating a username and password) and then logging in using that password what is the must secure way to handle this. Is it okay to just use password like and other field?
Thanks for any help. Similar TutorialsI need to find a way to store a password for connection to a remote database. I'm writing a program that will create a database on whatever server the user is using. Obviously, they will have to provide their username and password in order to create the database and have access to it. I need my program to get the information once (when they use the setup utility), then be able to store it so they can automatically connect to the database whenever my program is used. I plan using a php file for storage and include() to gain access to the info. I just don't have an idea for getting the information into the php file in the first place. Thanks for any ideas! Hey all. I am new to this forum and to PHP as a whole. I though I would try to make a login system using php and mysql. The login and register forms work great but I cannot seem to fully figure out how to let a user change their password. My code partially works. When the user types the correct old password and when the two new password forms confirm, the password changes and the database is updated and the user is taken to a page that tells him that his password was successfully changed. However, the problem is when the old password he types is different than the one in the database, the page that states password successfully changed also appears but the password is not changed in the database. The problem is thus with the SELECT statement. Can anyone please help me find whats wrong. It has been tormenting for a few hours now. Thank you in advance. . I used md5 encryption for the passwords. Here is the section of code that comes after the script makes sure that none of the forms are empty and that the passwords confirm . //Create SELECT query to verify that the old password is correct $qry="SELECT * FROM members WHERE login='" . $_SESSION['SESS_USERNAME'] . "' AND passwd='".md5($_POST['opassword'])."'"; $result = mysql_query($qry); if($result) { //Create UPDATE query to replace old password with new password $updatepasswd="Update members set passwd='".md5($_POST['npassword'])."' where login='" . $_SESSION['SESS_USERNAME'] . "' AND passwd='".md5($_POST['opassword'])."'"; $update = mysql_query($updatepasswd); //Check whether the query was successful or not if($update) { header("location: changepasswordsuccess.php"); exit(); } else { die("Query failed"); } } else { header("location: passwordchange-failed.php"); } Hi Guys,
I have a very simple table called: registered_users
there is only 4 columns
column 1 = id
column 2 = username
column 3 = password
column 4 = salt
the password is hashed and salted when it's added to the table.
The problem is, that my username and password isn't being "seen" by the code so it's not sending me to the next page, it is only sending me back to the login page - not validated.
Please could you help me understand what i may be doing wrong here, it all looks okay to me but that's not obviously the case?
Here is the validation for username and password to login:
/* validate the username and the password */
if((!isset($_POST['username'])) || (strlen(trim($_POST['username'])) <5) || (trim($_POST['username']) != preg_replace("/[^a-zA-Z0-9\_]/", "", trim($_POST['username'])))) {
/* if is bad */
$my_error = 1;
}else{
$username = mysql_real_escape_string(trim($_POST['username']));
}
/* END validating username */
/* validate the password */
if((!isset($_POST['password'])) || (strlen(trim($_POST['password'])) <5) || (trim($_POST['password']) != preg_replace("/[^a-zA-Z0-9\_]/", "", trim($_POST['password'])))){
/* if is bad */
$my_error = 1;
}else{
$password = trim($_POST['password']);
}
/* END validating password */
/* if any of the post variables are invalid send back to the form page */
if($my_error != 0) {
$_SESSION['error_message'] =$error_message;
header("Location: index.php");
exit();
}
/* FUNCTION TO CREATE SALT */
function createSalt(){
$string = md5(uniqid(rand(), true));
return substr($string, 0, 3);
}
/* check to see if username is in the table if not send back to login */
$query01 = "SELECT * FROM registered_users WHERE username = '$username'";
$result01 = mysql_query($query01) or die(mysql_error());
if(mysql_num_rows($result01) != 1) {
header("Location: index.php");
exit();
}
$row = mysql_fetch_array($result01);
$salt = $row['salt'];
$hash = hash('sha256', $salt, $password);
$query02 = "SELECT id FROM registered_users WHERE username = '$username' AND password = '$hash'";
$result02 = mysql_query($query02) or die(mysql_error());
if(mysql_num_rows($result02) !=1){
header("Location: index.php");
exit();
}
$_SESSION['id'] = $row['id'];
$_SESSION['valid_user'] = "yes";
header("Location: admin02.php");
exit();
?>
Thanks
Andy
Edited by Ch0cu3r, 05 July 2014 - 09:14 AM. Hi, I'm new here and I should say, I am a raw amateur at PHP and MySQL. All I can do is look at how others do similar things and try and adapt it. I have a MySQL table: Neil_Details. It has 4 columns: id, number, name, password. I can enter number and name from a csv file automatically, no problem. id is the Primary Key and will auto_increment. The column 'number' is the student numbers, name is their Chinese names. I want to take the column number and generate a password from each number in the column password. That's all! Quote$password = password_hash($number, PASSWORD_DEFAULT); People tell me, "Don't use their student numbers," but once I know how to do this in principle, I can splice part of the number and Chinese name together somehow and make a more secure password. I just want to learn how to do this in principle. Then I can do it for each class. So far I have this, which doesn't seem to work, although I get no errors in /var/log/apache2/error.log Could you please help me along a bit with some tips, pointers, links? My index.php first calls '/makePassword/form.html.php' This is called makePassword.php. Thanks for any tips!
<?php
//start PHP session
session_start();
//check if login form is submitted
if(isset($_POST['gettable'])){
//assign variables to post values
$tablename = $_POST['tablename'];
// login to the database dbname=allstudentsdb
include $_SERVER['DOCUMENT_ROOT'] . '/includes/studentdb.inc.php';
$stmt = $pdo->prepare('SELECT * FROM ' . $tablename . ' WHERE number = :number');
$stmt->execute(['number' => $number]);
$password = password_hash($number, PASSWORD_DEFAULT);
echo 'password is ' . $password;
$stmt = $pdo->prepare('INSERT INTO ' . $tablename . ' (password) VALUES (:password)');
try{
$stmt->execute(['password' => $password]);
}
catch(PDOException $e){
$_SESSION['error'] = $e->getMessage();
}
}
echo 'Passwords made!';
// the input form to get the mysql table name
header('location: ' . '/makePassword/form.html.php');
?>
I am attempting to install PEAR however am very confused and I believe I have stuffed up something from which it will be very complicated to come back from. Firstly, for some reason I have the C:\wamp\bin\php\php5.3.0\go-pear.bat installation file, but I also have the C:\PHP\go-pear.bat installation file. Which one do I choose? And is the C:\PHP direcotry left over from an old installation. I have no idea. Further to that, I ran the go-pear.bat installation from the C:\PHP directory, I have a feeling this was the wrong decision. After installing everything it stated that it had updated my php.ini file, however this file was in the wrong directory and so I took the updated lines from the php.ini which put in a a new include_path and pasted them into the php.ini file in the C:\wamp... directory. Now when I go to the command prompt and type in pear here is the message I get: PHP_PEAR_PHP_BIN is not set correctly. Please fix it using your environment variable or modify the default value in pear.bat The current value is: .\php.exe I have followed a remedy to this which is included he http://www.pear-forum.org/topic2413.html However still to no avail. I am further confused why I have a C:\PHP folder and why it is seperate from my WAMP folder. Further to that, when I try to install PEAR from my WAMP folder and click on C:\wamp\bin\php\php5.3.0\go-pear.bat I get the following error message: phar "C:\wamp\bin\php\php5.3.0\PEAR\go-pear.phar" does not have a signaturePHP warning require_once(phar://go-pear.phar/index.php>: failed to open stream: phar error: invalid url or non-existent phar "phar://go-pear.phar/index.php" in C:\wamp\bin\php\php5.3.0\PEAR\go-pear.phar n line 1236 (and another message that looks very similar) ----- Note: the installation instructions I am following are located here > http://trac.symfony-project.org/wiki/HowToInstallPearOnWindowsWithWamp ------ So basically I am stuck. Why is it so difficult to install PEAR and how do I simply get it working? Hi there
I am just finalising my first ever PHP/MYSQL project and I am worried about where to safely keep my connection credentials for the SQL DB.
Currently, I am storing them in ../php/config.php and this works fine, but I am worried as to the security of this
Can anyone advise please
Thanks
Hello PhP Freaks forum In the past weeks ive been trying to make a website, where you can register. Everything seems to work except my cherished Change password feature. Everytime you try to change the password, it just resets it to nothing. Here is the code below. <?php if(isset($_SESSION['username'])) { $username = $_SESSION['username']; $lastname = $_SESSION['lastname']; $firstname = $_SESSION['firstname']; $email = $_SESSION['email']; echo " <h4>Options for:</h4> $username <br /> <br /> First name: $firstname <br />Last name: $lastname <br /><br /><h3>Want to change your password:</h3><br /> <form action='?do=option' method='post'> Old password <input type='password' placeholder='Has to be between 5-15 digits' name='password' size='30' value='' /><br /> <br /> New Password<input type='password' placeholder='Has to be between 5-15 digits' name='newpass' size='30' value='' /><br /> <br /> Confirm new password <input type='password' placeholder='Has to be between 5-15 digits' name='passconf' size='30' value='' /><br /> <center></div><input type='submit' value='Submit'/></center></form>"; }else{ echo 'Please login to view your options!'; } $password = $_REQUEST['password']; $pass_conf = $_REQUEST['newpass']; $email = $_REQUEST['passconf']; $connect = mysql_connect("Host", "User", "Password"); if(!$connect){ die(mysql_error()); } //Selecting database $select_db = mysql_select_db("My Database", $connect); if(!$select_db){ die(mysql_error()); } //Find if entered data is correct $result = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'"); $row = mysql_fetch_array($result); $id = $row['id']; mysql_query("UPDATE users SET password='$newpass' WHERE username='$user'") ?> And i do know that i dont have a if(Empty($newpass)){ Die(Please fill out the new password) } Or any security on the others, but the problem just seems that it resets the password into nothing Hope i can get this fixed Best Regards William Pfaffe This topic has been moved to Application Design. http://www.phpfreaks.com/forums/index.php?topic=353345.0 <?php
require_once('upper.php'); require_once('database.php'); echo $error_msg=''; if(isset($_POST['submit'])) { $LoginId=mysqli_real_escape_string($dbc,trim($_POST['LoginId'])); $Password1=mysqli_real_escape_string($dbc,trim($_POST['Password1'])); $Password2=mysqli_real_escape_string($dbc,trim($_POST['Password2'])); $Name=mysqli_real_escape_string($dbc,trim($_POST['Name'])); $Age=mysqli_real_escape_string($dbc,trim($_POST['Age'])); $BloodGroup=mysqli_real_escape_string($dbc,trim($_POST['BloodGroup'])); if(!isset($_POST['Sex'])) { echo 'Please enter Sex<br>'; } else{ $Sex= mysqli_real_escape_string($dbc,trim($_POST['Sex'])); } $Qualification=mysqli_real_escape_string($dbc,trim($_POST['Qualification'])); $ContactNumber=mysqli_real_escape_string($dbc,trim($_POST['ContactNumber'])); $Email=mysqli_real_escape_string($dbc,trim($_POST['Email'])); $Address=mysqli_real_escape_string($dbc,trim($_POST['Address'])); $AboutYourself=mysqli_real_escape_string($dbc,trim($_POST['AboutYourself'])); //$countCheck=count($_POST['checkbox']); //echo $countCheck; //$checkbox=$_POST['checkbox']; //$countCheck=count($checkbox); if(empty($LoginId)){echo 'Please enter Login Id';} elseif(empty($Password1)){echo 'Please enter Password';} elseif(empty($Password2)){echo 'Please confirm Password';} elseif($Password1!==$Password2){echo 'Password didn\'t match';} elseif(empty($Name)){echo 'Please enter Name';} elseif(empty($Age)){echo 'Please enter Age';} elseif(!isset($_POST['Sex'])){} elseif(empty($Qualification)){echo 'Please enter Qualification';} elseif(empty($ContactNumber)){echo 'Please enter Contact Number';} elseif(empty($Email)){echo 'Please enter Email';} elseif(empty($Address)){echo 'Please enter Address';} elseif(empty($AboutYourself)){echo 'Please enter About Yourself';} elseif(!isset($_POST['checkbox'])){ echo 'You have to register at least one activity.';} elseif(!isset($_POST['TermsAndConditions'])){ echo 'You have to agree all Terms and Conditions of Elite Brigade.';} else { require_once('database.php'); $query="select * from registration where LoginId='$LoginId'"; $result=mysqli_query($dbc,$query); if(mysqli_num_rows($result)==0) { $checkbox=$_POST['checkbox']; $countCheck=count($_POST['checkbox']); $reg_id=' '; for($i=0;$i<$countCheck;$i++) { $reg_id=$reg_id.$checkbox[$i].','; $query="insert into activity_participation (LoginId,Title,Date) values ('$LoginId','$checkbox[$i]',CURDATE())"; $result=mysqli_query($dbc,$query) or die("Not Connected"); } $query="insert into registration (LoginId,Password,Name,Age,BloodGroup,Sex,Qualification,ContactNumber,Email,Address,AboutYourself,Activity)values ('$LoginId'[B],SHA('$Password1'),[/B]'$Name','$Age','$BloodGroup','$Sex','$Qualification','$ContactNumber','$Email','$Address','$AboutYourself',',$reg_id')"; $result=mysqli_query($dbc,$query) or die("Not Connect"); echo ' Dear '.$Name.'.<br>Your request has been mailed to admin.<br>Your account is waiting for approval<br>'; $from= 'Elite Brigade'; $to='ankitp@rsquareonline.com'; $subject='New User Registration'; $message="Dear admin,\n\nA new user request for registration. Please check it out.\n\nRegards\nMicro"; mail($to,$subject,$message,'From:'.$from); //header('Location: index.php'); // header('Location: Registration.php'); } else { echo 'Dear '.$Name. ', <br> An account already exist with login-id<b> '.$LoginId.'</b> <br>Please try another login-id'; }} } ?> <html> <head> <script src="jquery-latest.js"></script> <script type="text/javascript" src="jquery-validate.js"></script> <style type="text/css"> * { font-family: Verdana; } label.error { color: white; padding-left: .5em; } p { clear: both; } .submit { margin-left: 12em; } em { font-weight: bold; padding-right: 1em; vertical-align: top; } </style> <script> $(document).ready(function(){ $("#commentForm").validate(); }); </script> </head> <body> <?php echo $error_msg; ?> <form action='<?php echo $_SERVER['PHP_SELF'];?>' id="commentForm" method='post'> <div class="registration_and_activity"> <table border="0" width="380"> <tr><td colspan="2"> <h3>New User?</h3></td></tr> <tr><td width="120"> <em>*</em>Enter Login id</td><td width="150"><input type='text' name='LoginId' minlength="4" value='<?php if(!empty($LoginId))echo $LoginId;?>' /></td></tr> <tr><td> <em>*</em>Enter Password</td> <td><head> <div id="divMayus" style="visibility:hidden">Caps Lock is on.</div> <SCRIPT language=Javascript> function capLock(e){ kc = e.keyCode?e.keyCode:e.which; sk = e.shiftKey?e.shiftKey:((kc == 16)?true:false); if(((kc >= 65 && kc <= 90) && !sk)||((kc >= 97 && kc <= 122) && sk)) document.getElementById('divMayus').style.visibility = 'visible'; else document.getElementById('divMayus').style.visibility = 'hidden'; } </SCRIPT> </HEAD> <input onkeypress='return capLock(event)' type='password' name='Password1' value='<?php if(!empty($Password1))echo $Password1;?>' /></td></tr> <tr><td> <em>*</em>Confirm Password</td><td><input type='password' name='Password2' value='<?php if(!empty($Password2))echo $Password2;?>' /></td></tr> <tr><td width="120"> <em>*</em>Enter Name</td> <td><input type='text' name='Name' value='<?php if(!empty($Name))echo $Name;?>' /></td></tr> <tr><td> <em>*</em>Enter Age</td><HEAD> <SCRIPT language=Javascript> function isNumberKey(evt) { var charCode = (evt.which) ? evt.which : event.keyCode if (charCode > 31 && (charCode < 48 || charCode > 57)) return false; return true; } </SCRIPT> </HEAD> <td><INPUT onkeypress='return isNumberKey(event)' type='text' name='Age' value='<?php if(!empty($Age))echo $Age;?>'/></td></tr> <tr><td> <em>*</em>Enter Blood</td><td><input type='text' name='BloodGroup' value='<?php if(!empty($BloodGroup))echo $BloodGroup;?>' /></td></tr> <tr><td> <em>*</em>Enter Sex</td><td><input type='radio' name='Sex' style='width:16px; border:0;' 'value='Male' />Male <input type='radio' name='Sex' style='width:16px; border:0;' 'value='Female' />Female</td></tr> <tr><td> <em>*</em>Enter Qualification</td><td><input type='text' name='Qualification' value='<?php if(!empty($Qualification))echo $Qualification;?>' /></td></tr> <tr><td> <em>*</em>Contact Number </td><td><input onkeypress='return isNumberKey(event)'type='text' name='ContactNumber' value='<?php if(!empty($ContactNumber))echo $ContactNumber;?>' /></td></tr> <tr><td> <em>*</em>Enter Email</td><td><input type='text' name='Email'class="email" value='<?php if(!empty($Email))echo $Email;?>' /></td></tr> <tr><td> <em>*</em>Enter Address</td><td><input type='text' name='Address' value='<?php if(!empty($Address))echo $Address;?>' /></td></tr> <tr ><td > <em>*</em>About Yourself </td></tr> <tr><td colspan="2"><textarea rows='10' cols='40' name='AboutYourself' /><?php if(!empty($Address))echo $Address;?></textarea></td></tr> <tr><td> <?php echo" <tr><td colspan='2'><em>*</em><b>Select fields for which you want to register</b></td></tr>"; require_once('database.php'); $query="select * from activity"; $result=mysqli_query($dbc,$query); while($row=mysqli_fetch_array($result)){ $Title=$row['Title']; $ActivityId=$row['ActivityId']; echo "<tr><td>$Title</td>"; echo "<td><input type='checkbox' name='checkbox[]' value='$Title' style='width:14px; text-align:right;'/></td></tr>";//value=$ActivityId tells ActivityId variable extracts with name="checkbox" echo "<br/>"; } echo "<td><em>*</em><input type='checkbox' name='TermsAndConditions' style='width:14px; text-align:right;'/></td><td> I agree all <a href='TermsAndConditions.php'>Terms and conditions </a>of Elite Brigade</td></tr>"; echo "<tr><td colspan='2' align='center'><input type='submit' value='Register' name='submit' style='background:url(./images/button_img2.png) no-repeat 10px 0px; width:100px; padding:3px 0 10px 0; color:#FEFBC4; border:0;'/></td></tr><br>"; echo " </td></tr></table> </div> </form> </body> </html>"; require_once('lower.php'); ?> Hi Friends .... I encrypt user password by SHA('$Password') method but now i want to add "Forget Password Module" for which I need to decrypt it first before tell my user but I don't Know how to decrypt it. Please help me........ I am having some trouble getting this to pull the password correctly from the database. I believe the problem is from the password being in md5 format. I am not sure how to fix the issue. Much thanks Code: [Select] <?php //signin.php include 'connect.php'; include 'header.php'; echo '<h3>Sign in</h3><br />'; //first, check if the user is already signed in. If that is the case, there is no need to display this page if(isset($_SESSION['signed_in']) && $_SESSION['signed_in'] == true) { echo 'You are already signed in, you can <a href="signout.php">sign out</a> if you want.'; } else { if($_SERVER['REQUEST_METHOD'] != 'POST') { /*the form hasn't been posted yet, display it note that the action="" will cause the form to post to the same page it is on */ echo '<form method="post" action=""> Username: <input type="text" name="username" /><br /> Password: <input type="password" name="password"><br /> <input type="submit" value="Sign in" /> </form>'; } else { /* so, the form has been posted, we'll process the data in three steps: 1. Check the data 2. Let the user refill the wrong fields (if necessary) 3. Varify if the data is correct and return the correct response */ $errors = array(); /* declare the array for later use */ if(!isset($_POST['username'])) { $errors[] = 'The username field must not be empty.'; } if(!isset($_POST['password'])) { $errors[] = 'The password field must not be empty.'; } if(!empty($errors)) /*check for an empty array, if there are errors, they're in this array (note the ! operator)*/ { echo 'Uh-oh.. a couple of fields are not filled in correctly..<br /><br />'; echo '<ul>'; foreach($errors as $key => $value) /* walk through the array so all the errors get displayed */ { echo '<li>' . $value . '</li>'; /* this generates a nice error list */ } echo '</ul>'; } else { //the form has been posted without errors, so save it //notice the use of mysql_real_escape_string, keep everything safe! //also notice the sha1 function which hashes the password $sql = "SELECT userid, username, userlevel FROM users WHERE username = '" . mysql_real_escape_string($_POST['username']) . "' AND password = '" . sha1($_POST['password']) . "'"; $result = mysql_query($sql); if(!$result) { //something went wrong, display the error echo 'Something went wrong while signing in. Please try again later.'; //echo mysql_error(); //debugging purposes, uncomment when needed } else { //the query was successfully executed, there are 2 possibilities //1. the query returned data, the user can be signed in //2. the query returned an empty result set, the credentials were wrong if(mysql_num_rows($result) == 0) { echo 'You have supplied a wrong user/password combination. Please try again.'; } else { //set the $_SESSION['signed_in'] variable to TRUE $_SESSION['signed_in'] = true; //we also put the user_id and user_name values in the $_SESSION, so we can use it at various pages while($row = mysql_fetch_assoc($result)) { $_SESSION['userid'] = $row['userid']; $_SESSION['username'] = $row['username']; $_SESSION['userlevel'] = $row['userlevel']; } echo 'Welcome, ' . $_SESSION['username'] . '. <br /><a href="index.php">Proceed to the forum overview</a>.'; } } } } } include 'footer.php'; ?> Hi all, I am trying to make a 'forgot password' script. The passwords in the database are md5 encrypted. Is there a way to reverse this md5 password and send the forgotten password in its orginal for to the user through email? Thanks. <?PHP include("cxn.php"); $sql = "SELECT password FROM Members WHERE email='$_POST[email]'"; $result = mysqli_query($cxn,$sql) or die ("Couldn't execute query"); $num = mysqli_num_rows($result); if ($num >0) // Email Address Found { $password = md5($_POST['password']); // Trying to take the md5 off the password here. $to = "$_POST[email]"; $subj = "Password for website.co.uk"; $mess = "Your password for www.website.co.uk is: \n $_POST['password'] \n Please login with your email address and this password. Thank you."; $mailsend = mail($to,$subj,$mess,$headers); $update= "An email containing your password has been sent to". $_POST['email']."."; include("signin-redirect.php"); } else // Email Address Not Found { $registrationerror = "The email address '$_POST[email]' is already registered!"; include("signin-redirect.php"); } ?> I'm making the password field have these restrictions: Length >= 8 That's it. I then use javascript to md5 the value of that text field, then I send it using ajax to the php script to process the signup. Is it bad not to have a max length, or does this way work. Any suggestions? hey guys im trying to make a regual expresion for a password with the conditions that it must contain 2 of each character: upper case letter, lower case letter, number or symbol...i have the regular exprssion below individually but how do i put it into one expression please?
possible matches:
des$tramic
destram1c
Destramic
^ (?=.*[A-Z].*[!@#$&*]) // upper case letter with symbol (?=.*[A-Z].*[a-z]) // upper case letter with lower case letter (?=.*[A-Z].*[0-9]) // upper case letter with number (?=.*[!@#$&*].*[0-9]) // symbol with number (?=.*[a-z].*[!@#$&*]) lower case character with symbol (?=.*[a-z].*[0-9]) // lower case character with number $thank you I have been out of the game for a while and i need a bit of guidance on this.
Password: HelloWorld!
Salt: mySaltForMyReallyCoolPasswordThatiMadeForPHPFREAKS
MD5 . SALT = 072ce1d7fd7e6f14ba12053a9e057b26
SHA1 . SALT = d580f4880e29ed757d942623f4d96dab1976d929
Crypt . SALT = my7LFLALq6s3c
password_hash = $2y$13$mySaltForMyReallyCoolO9t3RUqt1WbzVeqqQGxDHqOF/nu2Zhs2
Which security protocol is most prefered.
SALT . MD5 . SALT http://php.net/manua...unction.md5.php
SHA1 . SALT http://php.net/manua...nction.sha1.php
Crypt http://php.net/manua...ction.crypt.php
password_hash http://php.net/manua...ssword-hash.php (new)
function:
<?PHP
$password = "HelloWorld!";
$salt = "mySaltForMyReallyCoolPasswordThatiMadeForPHPFREAKS";
$md5 = md5($password . $salt);
$sha1 = $sha1($password . $salt);
$crypt = crypt($password, $salt);
$o = [
'cost' => 13,
'salt' => $salt,
];
$password_hash = password_hash($p, PASSWORD_DEFAULT, $o);
?>
After i get the encrypted password, i will convert it to binary and then store it in the database as a binary.
Which of these methods do you prefer and why? (ps. i might have used password_hash incorrectly).
i don't need any source code, just fill me in
Edited by Richard_Grant, 08 September 2014 - 08:49 AM. Hy 2 all, I have some questions about password security that I haven't been able to find an answer yet. Hopefully you guys know. Here it goes: 1. Is it better to hash(sha2) the password and then salt it or salt it and than hash it ? 2. I'm guessing that using a random salt is better than the same salt used for every password. 3. How can you generate a different random salt for each password ? I mean how will the login page know which random salt to mix with the hashed user inserted password and then to compare it with the password stored in the db. (an example would be great(for both: generating and authentication) 4. I saw some codes in which the salt and/or hash and/or password was split into two (ex: hash.salt1a.password.salt1b or password1a.salt.password1b or salt.hash1a.password.hash1b etc.) Is this a good idea ? Is it really more secure ? If so which would be more secure (splitting the password, the hash or the salt) ? 5. Is double hashing (ex: (sha1(md5($password))) any good ? 6. I've been reading something about password salt and pepper ?? What exactly is pepper ? Is it some sort of second salt ? If somebody could enlighten me about these questions, that would be great. Thanks in advance! Hi, im trying to make a password reminder for my game server accounts. Ok, so now in mysql i have table with 2 fields: email and pass. Here is my php coding to remind password: Code: [Select] <?php session_start(); include "./global.php"; ?> <html> <head> <title>Password Reminder</title> </head> <body> <?php if(!isset ($_POST['submit'])) { echo "Your e-mail: <input type='input' name='email'> <input type='submit' name='submit' value='Ok'>\n"; }else{ $to = $_POST['email']; if($to) { $sql = "SELECT pass FROM fpass WHERE email='".$to."'"; $res = mysql_query($sql) or die(mysql_error()); if(mysql_num_rows($res) > 0) { $rrow = mysql_fetch_assoc($res); echo "Your password is: '".$rrow['pass']."'"; }else{ echo "The e-mail that you supplied does not exist!\n"; } }else{ echo "E-Mail field is empty! Please fill it up.\n"; } } ?> </body> </html> global.php connects to mysql. But now when i typing email, the it should select password from table fpass where email = my typed email. But when i click Ok button, then it don't doing anything... It should show me this: Your password is: blabla... I'm still trying to figure out why I should use salt. If the bad guy knows a name and tries something like brute force shoving passwords into the log-in form until one worked how would salt help stop that? If a bad guy, God forbid, gets hold of the user names and passwords like they did phpbb(?) forums several years ago how would salt stop that? I know I may be beating this issue to death but if I have salt in the users table assigned to a user and his password now equals $stored_password = sha1($salt.$password) does this really doesn't matter? Because if the bad guy knows the user name and uses brute force or has a list of passwords from the users table that he has gotten some way. All he has to do is type in the user name and password and salt will be added automatically. I am a newbie to php. Ran away from it from years but now I see the light! I am in the process of developing a web site application w/ MySql backend and I would like to do the following: 1. Client registers for my site. 2. How do I create code that validates password format to meet my password criteria (i.e. (2) capital letters, (2) special characters etc etc. I want to password protect my entire website. How would I go on to doing this. There is a website that has this already (www.printerdev.co.uk). I want to do the exact same thing but not sure how to. Can someone please help me |
|||||||