Salt and hashed password missing on some users
First of all you should always check if the data is there. For any real service crashing is not an option.
If you want everyone to have a password now then you have two options: either require those users to set up a password before they can do anything else, or just set a random password to them and email it to them.
The first option is harder to do because it can mean adding a lot of new logic. The second one is easier but you risk that people cannot log in because the emails got lost.
In any case your code should always be ready for a situation when some data in the database is missing or incorrect so even if you add passwords to all of the users, you should still check if it is there instead of crashing if it isn't.
Salt and hash a password in Python
EDIT: This answer is wrong. A single iteration of SHA512 is fast, which makes it inappropriate for use as a password hashing function. Use one of the other answers here instead.
Looks fine by me. However, I'm pretty sure you don't actually need base64. You could just do this:
import hashlib, uuid
salt = uuid.uuid4().hex
hashed_password = hashlib.sha512(password + salt).hexdigest()
If it doesn't create difficulties, you can get slightly more efficient storage in your database by storing the salt and hashed password as raw bytes rather than hex strings. To do so, replace hex
with bytes
and hexdigest
with digest
.
checking password confirmation in php
Here is my recommendation, this may not completely solve your issue but it will make your code a bit more secure since your code is susceptible to SQL injection:
<?php
include("../../config/database_connection.php");
if( isset($_POST) )
{
$user_name = $conn->real_escape_string($_POST['user_name']);
$email = $conn->real_escape_string($_POST['email']);
$user_pass_init = $conn->real_escape_string($_POST['password']);
$user_pass_conf = $conn->real_escape_string($_POST['passconfirm']);
$full_name = $conn->real_escape_string($_POST['full_name']);
$gender = $conn->real_escape_string($_POST['gender']);
if (!empty($user_name) && !empty($email) && !empty($full_name) && !empty($gender)) {
if ($user_pass_init != $user_pass_conf) {
header("location:../index.php?err= password do not match");
}else{
$user_pass = md5($user_pass_init);
$query = "INSERT into admin_users (user_name,email,user_pass,full_name,gender) VALUES('$user_name', '$email', '$user_pass', '$full_name', '$gender')";
$success = $conn->query($query);
if (!$success) {
die("Couldn't enter data: ".$conn->error);
} else{
header("location:../index.php");
}
}
} else{
header("location:../index.php?err= Enter all the fields");
}
} else{
header("location:../index.php?err= couldnot enter data");
}
?>
I also would recommend using password_hash()
instead of md5()
Related Topics
What Are the Disadvantages of Using Persistent Connection in Pdo
How to Make Pdf File Downloadable in HTML Link
Are Arrays in PHP Copied as Value or as Reference to New Variables, and When Passed to Functions
How to Enable Curl in PHP/Xampp
Get PHP to Stop Replacing '.' Characters in $_Get or $_Post Arrays
How to Pass Data to View in Laravel
Set Up the Base Url in Codeigniter
PHP Function to Make Slug (Url String)
PHP/MySQL Insert Row Then Get 'Id'
Get Url Query String Parameters
MySQLi Prepared Statements Error Reporting
Capturing Text Between Square Brackets in PHP
Http Requests With File_Get_Contents, Getting the Response Code
How to Get Input Field Value Using PHP