开发者

Trying to hash my passwords but with no success

I am fairly new to php security, and for my site, I was a sign up and login, and I want to add md5 their passwords, but I can't find anywhere which has a clear guide on what needs to be added to the sign up, and what needs to be added to the login files, and/or the database, as I say I am fairly new to php in terms of web security, so I am in need of some help, here's part of what I have on my sign up form:

    $error = $user = $pass = "";
if (isset($_SESSION['user'])) destroySession();

if (isset($_POST['user']))
{
    $user开发者_运维百科 = sanitizeString($_POST['user']);
    $pass = sanitizeString($_POST['pass']);


    if ($user == "" || $pass == "")
    {
        $error = "Not all fields were entered<br /><br />";
    }
    else
    {
        $query = "SELECT * FROM members WHERE user='$user'";

        if (mysql_num_rows(queryMysql($query)))
        {
            $error = "Username already taken<br /><br />";
        }
        else
        {
            $query = "INSERT INTO members VALUES('$user', '$pass')";
            queryMysql($query);
            die("<h4>Account created</h4>Please Log in.");
        }

    }
}

I just need an example or a good guide of what I need to do to get it working correctly.


I think you're looking to salt and then hash your passwords. Simply add a string of your choosing to the front (and if you wish, to the end) of your password before hashing it using MD5.

e.g.

$pass = 'mypassword';
$salt = 'S%gh3578';  //anything you want
$pepper = 'w890rrk'; //anything you want
$query = "INSERT INTO members VALUES('$user', md5('".$salt.$pass.$pepper."'))";
queryMysql($query);

This will store the password in the database using salted MD5 encryption that cannot be reversed using a lookup table of common passwords using unsalted MD5 encryption.

To check if a password is valid, you do something similar:

$passToCheck = 'something';
$correctMD5 = (retrieve hash from db)
if($salt.$passToCheck.$pepper == $correctMD5)
{    
   //valid login
} else {
   //login failure
}


You can for example md5($pass) before you insert and when the user logs in, you md5 again and check that the values are the same. There is no way to de-md5, so you will usually check the md5 input against the md5 DB value.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜