PHP - Safely Hashing Data

Part of my class: using PHP5 ( http://php.net/manua...ssword-hash.php) If you know of anything new in PHP5 related to please do share

protected function create_hash($string){
$password = "#" . strrev($password);
    $grs =  $this->grs("|WordToTheWise",rand(22, 50));
    $hash = password_hash("_" . strrev($string), PASSWORD_BCRYPT, array('cost'=>rand(4,14),'salt'=>$grs));
    return strrev($hash);
}
public function verifyhash($string, $hash_string){//verifies that the hash is equal to the password
    return (password_verify("_" . strrev($string), strrev($hash_string)) ? true : false);
  }
 
private function grs($string_append = "", $length = 22) {
   $length = $length - strlen($string_append);
   $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&()_*,./;[]|';
   $randomString = '';
   for ($i = 0; $i < $length; $i++) {
       $randomString .= $characters[rand(0, strlen($characters) - 1)];
   }
   return $randomString . $string_append;
}

Okay so u use strrev on my string and hash just to make everything a bit more CONFUSING and i append the string with a "]" just to make the password harder to brute the strrev and append string is not meant to make the hash any more secure.   I store the reversed hash in my DB as a varchar   The point of the reverse hash is only to make the hash a little more unrecognizable to the human eye.     The Const is randomly chosen 4 - 14, and the salt is randomly generated with a special string appended.     How would you improve the hashing?
Edited by Richard_Grant, 09 September 2014 - 11:48 PM.

{
$getp=$_POST["password"];
$newhas=password_hash($getp,PASSWORD_BCRYPT);

I am trying to use this code for password hashing for every time that password is hashed it returns a different value.

How do I save the hashed value in database ?

Just a quick question.

I have heard a few people say that they store a specific (maybe random) salt string in the same row as the user that is generated when the user account is created or password is changed. But I thought one of the reasons people use hashing is so if someone managed to get hold of the database they couldn't decipher the password (like a simple md5'd string). But putting the salt string next to the username surely gives the attacker a major push in the right direction?

I am not claiming to know anything, I'm just asking because I'm trying to find the best practice (Or at least a good tried and tested one). I like the idea of having a salt in a php config file, because that would mean an attacker would actually have to get your files, and if they had got that far then your pretty much screwed anyway.

When to use password_needs_rehash  Workflow for account registration. 1.       The user creates an account. 2.       Their password is hashed password_hash($password, PASSWORD_DEFAULT) and stored in the database. 3.       When the user attempts to login, the hash (password_verify  ) of the password they entered is checked against the hash of their real password (retrieved from the database). 4.       If the hashes match, the user is granted access. If not, the user is told they entered invalid login credentials. My question is 1.       When should I call password_needs_rehash? 2.       Do I really need to use it?     

I am currently testing a small hash idea, for say database encryption for passwords.

Basically what I want to know is if this is a good or not the best method for encryption...

Code: [Select]
<?php

    $us_password = 'drowssap'; // User-Submitted Password; 
    $salt = '))!&8d*34d763!(('; //The salt
    $dbs_password = '3750221c513902ff76f4ec7ffed5fa4385d2599d'; // Sha1 hash for "drowssap"+Salt;

        if($us_password == sha1($us_password.$salt)){
            //Some other code for success here
        } else {
           //Failure code here
        }
    
?>

So basically, this is an abstract example of what I'm doing... Is it any good, or what could be improved? I've also used DB-Stored salts unique to each user, so even if someone used rainbow tables ( even after failure on my part for letting them get the hash... ), and multiple users had the same password, they would only crack one, rather than all of them, since the hashes would be different due to the different salts.

Hello all,

I looked everytwhere to find the answer to my question bug so far, no luck. I hope someone here can help me with this issue.

Oke, my problem is as following.

I'm creating a string with a foreach loop that I then will has after the loop. The problem is, is that that string is addad to a variable. When I sha1 hash that variable with the sha1 function from within PHP I get a different hash as when I just echo the string and manually hash that.

The point is, is that the manually hashed string is then correct, and the automitically hash string isn't.

This is the code I'm using, can someone tell me where to look at to solve this problem?


if (is_array($this->getFormData())){
     foreach ($this->getFormData() as $name => $value) { 
         $string .= $name."=".$value.$shamethod;
   }
}
$hashstring = sha1($string, false);
echo '<br /><br />'.$hashstring.'<br /><br />';
echo $string;


Thanks for  your time.

Dok

Hello

I've recently been made aware that I need to hash the token I use when allowing users to reset their password.

I have a working solution but I'm hoping someone could let me know if this is an adequate way of doing it;

1. User enters their email, I check whether their actually a member and then...     create a passcode (1)     create a salt (2)     hash them together to create a passcode_hash (3)     insert the (2) and (3) into the database     send an email to the user with a link using (1) and the userid in the address 2. When the link is followed...     $_GET the userid and lookup the salt and passcode_hash for that id     hash together the passcode in the URL with the salt, and compare that to passcode_hash     if that is successfull then allow an update of the password (show the update form) 3. The password update form is sent along with two hidden fields (the passcode and userid from the URL)     On the form processing script I perform the same check as on Step 2 to check the passcode and user id have not been messed with     Update the password and delete the passcode Hopefully that makes sense... is that correct?

Here is my code that compares the passcode with the passcode_hash....
 

// get the passcode and email from URL (I will sanitize these)
        $passcode = $_GET['passcode'];
        $member_id = $_GET['uid'];

        // find the salt associated with the userid
        $stmt = $db->prepare("SELECT passcode,salt FROM members_verify WHERE members_id = ?");
        $stmt->bind_param('i',$member_id);
        $stmt->execute();
        $stmt->bind_result($db_passcode,$salt);
        $stmt->fetch();
        $stmt->close();

        // Create salted password
        $passcode_hash = hash('sha512', $passcode . $salt);

        if($passcode_hash===$db_passcode){
            $allowUpdate = 'yes';
        }

Any advice would be great
Edited by paddyfields, 07 June 2014 - 08:18 AM.

Used to be a good option, but don't know anymore as password_hash() is now available.   Agree?   I understand that I shouldn't ever manually salt and disable the functions salting.  That being said, is there any reason to add a bit extra to the user's password (such as an internal ID and some random constant)?

<?php 
	function cryptPass($input, $rounds = 9){
	
		$salt = "";
	
		$saltChars = array_merge(range('A','Z'), range('a','z'), range(0,9));
	
		for($i = 0; $i < 22; $i++){
	
			$salt .= $saltChars[array_rand($saltChars)];
	
		}
		
		return crypt($input, sprintf('$2y$%02d$', $rounds) . $salt);
	
	}

	echo $inputPass = "password2";

	echo $pass = "password";

	$hashedPass = cryptPass($pass);

	echo $hashedPass;

	if(crypt($inputPass, $hashedPass) == $hashedPass){
	
		echo "<br /><h1>Password is a match = log user in</h1>";
	
	}else{
	
		echo "<br />Password does not match = do not log in";
	
	}
?>

My PHP version 5.2 When I run above code I am getting the password match answer. I should have get error message. Can anyone advise me . Thank you.

I have a large number of files. It is recommended to save the files with hashing system to have fast access to files through the OS. But I have no practical knowledge about hash. Could you please give me a hint, how to save a file with hash coded system via php? and how to read the hash coded filename by php?

Thank you in advance!

Hi everyone 

I'm new around here but thought it's about time I joined a good PHP forum! I'll introduce myself properly on the right section, but for now, I'll my post my coding problem on here. I wonder if any has any knowledge or can help.

I'm setting up a connection from my web server to a potential data supplier web server, which involves a load of encryption. One of the stages is generating a SHA1 hash of an encrypted string.

Now I've got some old example code, however the "mhash" function used in this old code appears to obsolete. Thus is doesn't work.

I've tried using the available "sha1" and "hash" functions but cannot replicate the hashed output they provide.

Here's the original code:
Code: [Select]
$encrypted_string = "B0436CBFBC5CAAFB7339AF4A1DF845974D53B9D369146E2E4F1451929D9EBE254363E983F4F94517EB9585FDB112E7B1CCE11A33C5BBA23F8D5DE9D3415BA526489AC796A36FBA76D4293C8DFB673708CED10C9732EEC472D9E43D2626AA104121666E79DD8F2FF6BAC0143BD62E0EE826AF6459779C162613508D48BFE2FC8DD558A1834D7205F96EA8D446E9B371E78E990A3995B1052DCBA9CA0AF99CC77ED2A8B55B2B882BA29D4BB4B07FA91AB4D2F10FBB93732B077335A7E6D96FE813AEDC3711A85CD0C13AE22B28C14FCCE3AF4C1F5D2C0F7697DEC7487CCFC0ED4E77B1B65F39BAD5236E3D3C69D33FC484";

$hashBinaryValue = mhash(MHASH_SHA1, $encrypted_string);
$hashValue = bin2hex($hashBinaryValue);
echo 'hashValue='.$hashValue.'<br>';
The example hashed output should be:
Code: [Select]
31f6d26b18d3c04895cdc2cc05cbd9ad003f2d3e
I cannot seem to replicate this output using the available functions? I've tried the following:
Code: [Select]
$hashBinaryValue = hash('sha1', $encrypted_string);
$hashValue = bin2hex($hashBinaryValue);
And also:
Code: [Select]
$hashBinaryValue = sha1($encrypted_string);
$hashValue = bin2hex($hashBinaryValue);
Both generate:
Code: [Select]
37333736363862393037313732326265346438396433633236383936363430376434613665363231
I've found a webpage that can generate the SHA1 hash, but do not know what language they've done it in.
http://www.fileformat.info/tool/hash.htm?hex=B0436CBFBC5CAAFB7339AF4A1DF845974D53B9D369146E2E4F1451929D9EBE254363E983F4F94517EB9585FDB112E7B1CCE11A33C5BBA23F8D5DE9D3415BA526489AC796A36FBA76D4293C8DFB673708CED10C9732EEC472D9E43D2626AA104121666E79DD8F2FF6BAC0143BD62E0EE826AF6459779C162613508D48BFE2FC8DD558A1834D7205F96EA8D446E9B371E78E990A3995B1052DCBA9CA0AF99CC77ED2A8B55B2B882BA29D4BB4B07FA91AB4D2F10FBB93732B077335A7E6D96FE813AEDC3711A85CD0C13AE22B28C14FCCE3AF4C1F5D2C0F7697DEC7487CCFC0ED4E77B1B65F39BAD5236E3D3C69D33FC484

Any help or input would be greatly appreciated =)

Am new here - looks like a great foru!

I would sincerely appreciate any help anyone can give me. I have been
trying to solve my problem for hours and I am not having any luck, so I
thought I would post and see if anyone can help. I am very stuck and am
not making much progress on this project, and I am certain the answer is
very simple.

I am constructing a form to collect data for a specialized purpose. 

The form and program actually work for its intended function, but I am
trying to enhance the user experience by preventing customers from
having to reenter all of their data should there be a problem with any
of the data submitted.

I have been able to do that with the contact form portion, but what I am
having trouble with is the portion which has as many as 400 possible
entries.

So, in a nutshell, if the customers contact data is incomplete or in
error, the form will ask them to return to the page and correct things.
The previous data entered has been saved in the session and the input
value will equal the previous entry.

i.e.

<tr>
  <td align="right" class="infoBox"><?php echo ENTRY_EMAIL_ADDRESS; ?></td>
  <td align=left><?php echo "<input type=text name='cemail' value=\"$cemail\" size=35 maxlength=35>" ?></td>
</tr>

Works perfectly, all well and good there.

On the other 400 more or less entries, I am having a difficult time
tweaking the string concatenation to work to achieve similar results.

There are 4 columns each with $points entries asking for a dimension in
either feet or inches. 

The <input name=>  is one of ptaf,ptai,ptbf,ptbi, appended programatically with the corresponding
row number or data point.  i.e. "ptaf1", "ptai1", etc...  This is produced by the example
below and works perfectly also.

<?php {
$points=100;
$i=1;
while ($i <= $points)
{echo '
  <tr><td align="center" width="6"><b>  ' .$i . '</b></td>
     <td align="right" NOWRAP>A' .$i . ' (ft) <input type="text" name="ptaf'.$i.'" size=4 maxlength=3> </td>
      <td align="right" NOWRAP>A' .$i . ' (in) <input type="text" name="ptai'.$i.'" size=4 maxlength=4> </td>
     <td align="right" NOWRAP>B' .$i . ' (ft) <input type="text" name="ptbf'.$i.'" size=4 maxlength=3> </td>
      <td align="right" NOWRAP>B' .$i . ' (in) <input type="text" name="ptbi'.$i.'" size=4 maxlength=4> </td>

';

     $i++;
}   
}
?>


I am trying to add <input value=$ptai.$i> for each field but as I mentioned I
am not having any luck.  It seems as if I have tried every combination
imagineable, but still no luck. My head is spinning!

The closest I seem to have gotten was with this:

<td align="right" NOWRAP>A' .$i . ' (ft) <input type="text" size=6 maxlength=3 name="ptaf'.$i.'"  value="' . "$ptaf" . $i . '" ></td>

But line 17 for example returns this:

<input type="text" value="17" name="ptaf17" maxlength="3" size="6">

To recap, I am trying to have the value set to whatever the customer may
have entered previously.

Again, I would most appreciate any help anyone can give me. If you need
 clarification on anything please let me know.

Thanks

AJ

 

Hello to all,

I have problem figuring out how to properly display data fetched from MySQL database in a HTML table.

In the below example I am using two while loops, where the second one is nested inside first one, that check two different expressions fetching data from tables found in a MySQL database. The second expression compares the two tables IDs and after their match it displays the email of the account holder in each column in the HTML table.

The main problem is that the 'email' row is displayed properly while its while expression is not nested and alone(meaning the other data is omitted or commented out), but either nested or neighbored to the first while loop, it is displayed horizontally and the other data ('validity', 'valid_from', 'valid_to') is not displayed.'

Can someone help me on this, I guess the problem lies in the while loop?
Here is part of the HTML code:

<thead>
 <tr>
 <th data-column-id="id" data-type="numeric">ID</th>
 <th data-column-id="email">Subscriber's Email</th>
 <th data-column-id="validity">Validity</th>
<th data-column-id="valid_from">Valid From</th>
 <th data-column-id="valid_to">Valid To</th>
</tr>
</thead>

Here is part of the PHP code:

 

    <?php
    while($row = $stmt->fetch(PDO::FETCH_ASSOC))
    {
        echo '
            <tr>
                <td>'.$row["id"].'</td>
        ';
        while ($row1 = $stmt1->fetch(PDO::FETCH_ASSOC)) {
        echo '
                <td>'.$row1["email"].'</td>
        ';
        }
        if($row["validity"] == 1) {
            echo '<td>'.$row["validity"].' month</td>';
        }else{
            echo '<td>'.$row["validity"].' months</td>';
        }
        echo '  <td>'.$row["valid_from"].'</td>
                <td>'.$row["valid_to"].'</td>
        </tr>';
    }
    ?>

P.S. Please know that I have purposely omitted the connection part and the methods in the class that are used in this code to keep the spot of the problem as clean as possible. If you need me to rephrase the question, please ask.

Thank you.

Here's the code that deals with the client side:

<?php 
session_start(); 
if(!isset($_SESSION['Logged_in'])){
header("Location: /page.php?page=login");
}
?>
<!DOCTYPE Html>
<html>
<head>
<!--Connections made and head included-->
<?php require_once("../INC/head.php"); ?>
<?php require_once("../Scripts/DB/connect.php"); ?>
<!--Asynchronously Return User Names-->
<script>
$(document).ready(function(){
function search(){
        var textboxvalue = $('input[name=search]').val();
        $.ajax(
        {
            type: "GET",
            url: 'search.php',
            data: {Search: textboxvalue},
            success: function(result)
            {
                $("#results").html(result);
            }
        });
};​
</script>
</head>
<body>
<div id="header-wrapper">
<?php include_once("../INC/nav2.php"); ?>
</div>
<div id="content">
<h1 style="color: red; text-align: center;">Member Directory</h1>
<form onsubmit="search()">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<label for="search">Search for User:</label>
<input type="text" size="70px" id="search" name="search">
</form>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="index.php?do=">Show All Users</a>|<a href="index.php?do=ONLINE">Show All Online Users</a>
<div id="results">
<!--Results will be returned HERE!-->
</div>

  search.php 

<?php
//testing if data is sent ok
echo "<h1>Hello</h1><br>" . $_GET['search'];
?>

This is the link I get after sending foo.    http://www.family-li...php?&search=foo   Is that mean it was sent, but I'm not processing it correctly? I'm new to the whole AJAX thing. 

Hi, after banging my head against the wall for a while thinking this would be a simple task, I'm discovering that this is more complicated than I thought.

Basically what I have is a link table linking together source_id and subject_id.   For each subject there are multiple sources associated with each.

I had created a basic listing of sources by subject... no problem.   I now need a way of having a form to create an ordered list in a user-specified way.  In other words, I can currently order by id or alphabetically (subject name lives on a different table), but I need the option of choosing the order in which they display.  I added another row to this table called order_by.  No problem again, and I can manage all of this in the database, however I want to create a basic form where I can view sources by subject and then enter a number that I can use for sorting.

I started off looping through each of the entries and the database (with a where), and creating a foreach like so (with the subject_id being grabbed via GET from the URL on a previous script)
Code: [Select]
while($row = mysqli_fetch_array($rs)) {


//update row order
if (isset($_POST['submit']))  {

//get variables, and assign order

$subject_id = $_GET['subject_id'];
$order_by = $_POST['order_by'];
$source_id = $row['source_id'];


//echo 'Order by entered as ' . $order_by . '<br />';

foreach ($_POST['order_by'] as $order_by) {

$qorder = "UPDATE source_subject set order_by = '$order_by'
WHERE source_id = '$source_id'
AND subject_id = '$subject_id'";

mysqli_query($dbc, $qorder)
or die ('could not insert order');

// echo $subject_id . ', ' . $order_by . ', ' . $source_id;
// echo '<br />';
} 
}
else {
$subject_id = $_GET['subject_id'];
$order_by = $row['order_by'];
$source_id = $row['source_id'];

}

And have the line in the form like so:
Code: [Select]
echo '<input type="text" id="order_by" name="order_by[]" size="1" value="'. $order_by .'"/>

(yes I know I didn't escape the input field... it's all stored in an htaccess protected directory;  I will clean it up later once I get it to work)

This, of course, results in every source_id getting the same "order_by" no matter what I put into each field.

I'm thinking that I need to do some sort of foreach where I go through foreach source_id and have it update the "order_by" field for each one, but I must admit I'm not sure how to go about this (the flaws of being self-taught I suppose;  I don't have anyone to go to on this).

I'm hoping someone here can help?

Thanks a ton in advance