Using PHP 5.5's password_hash and password_verify function
Ignoring the issues with your database statements for now, I'll answer the question regarding password_hash
.
In short, no, that is not how you do it. You do not want to store the salt alone, you should be storing both the hash and salt, and then using both to verify the password. password_hash
returns a string containing both.
The password_hash
function returns a string that contains both the hash and the salt. So:
$hashAndSalt = password_hash($password, PASSWORD_BCRYPT);
// Insert $hashAndSalt into database against user
Then to verify:
// Fetch hash+salt from database, place in $hashAndSalt variable
// and then to verify $password:
if (password_verify($password, $hashAndSalt)) {
// Verified
}
Additionally, as the comments suggest, if you're interested in security you may want to look at mysqli
(ext/mysql
is deprecated in PHP5.5), and also this article on SQL injection: http://php.net/manual/en/security.database.sql-injection.php
How is the randomly generated password salt in PHP 5.5's new password_hash function even useful?
The salt is included in the hash value.
<?php
$hash = password_hash("password", PASSWORD_DEFAULT, ['salt' => 'saltsaltsaltsaltsaltsa']);
print_r(password_get_info($hash));
echo $hash;
Outputs:
Array
(
[algo] => 1
[algoName] => bcrypt
[options] => Array
(
[cost] => 10
)
)
$2y$10$saltsaltsaltsaltsaltsOPRDjePxJkNp7mjBEve63IqKPFT7ehNG
As you can see, the hashing function stores information about the hashing process in the hash itself. The password_verify()
function then parses the hash
and validates the password based on this information.
Codeigniter password matches not working with md5
When you do matches[rpassword], it's looking at the current value of password after the md5 but rpassword before the md5.
Switch it to this so that it does the match validation BEFORE converting to md5:
$this->form_validation->set_rules('password','Password','required|matches[rpassword]|md5|trim|xss_clean');
$this->form_validation->set_rules('rpassword','Repeat Password','required|md5|trim|xss_clean');
Also, if this is an application where security truly matters - please know that md5 is very easy to crack and that if someone is able to ever get into your database that they will be able to hack all of these passwords. So basically using md5 is almost the equivalent to not encrypting in the first place.
For password storage, use CRYPT_BLOWFISH or PHP 5.5's password_hash()
function. For PHP < 5.5 use the password_hash() compatibility pack
.
Can't login with real password in php
As stated: you're comparing plain text from the POST array $password = $_POST['pass'];
to the MD5 in your table.
That should read as $password = md5($_POST['pass']);
I also stated that you shouldn't go live with this, "ever". If it is a live site, I suggest you put it on hold until you use a safe hashing function that is of "this century".
MD5 is 30+ years old and is no longer considered safe to use now to hash/store passwords with.
Consult the following:
- Is MD5 considered insecure?
- https://en.wikipedia.org/wiki/MD5
Passwords
Use one of the following:
- CRYPT_BLOWFISH
crypt()
bcrypt()
scrypt()
- On OPENWALL
- PBKDF2
- PBKDF2 on PHP.net
- PHP 5.5's
password_hash()
function. - Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/
Other links:
- PBKDF2 For PHP
Important sidenote about column length:
If and when you do decide to use password_hash()
or crypt, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). The manual suggests a length of 255.
You will need to ALTER your column's length and start over with a new hash in order for it to take effect. Otherwise, MySQL will fail silently.
Your present code is also open to SQL injection. Use mysqli
with prepared statements, or PDO with prepared statements.
php session and while-loop: undefined index
SELECT ID, USERNAME, PASSWORD FROM Game
- there you didn't select the GELD
and NIVEAU
columns in your query.
and don't use a deprecated MySQL API.
Use mysqli
with prepared statements, or PDO with prepared statements.
Passwords
If you're live with this or intend on going live with plain text password, STOP right there.
For password storage, use CRYPT_BLOWFISH or PHP 5.5's password_hash()
function.
For PHP < 5.5 use the password_hash() compatibility pack
.
Also consult the manual on password_verify()
.
- http://php.net/manual/en/function.password-verify.php
Sidenote about using password_hash()
and column length.
If and when you do decide to use password_hash()
or crypt, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). The manual suggests a length of 255.
You will need to ALTER your column's length and start over with a new hash in order for it to take effect. Otherwise, MySQL will fail silently.
Related Topics
How to Remove All Non Printable Characters in a String
What Are the Disadvantages of Using Persistent Connection in Pdo
Get the Client Ip Address Using PHP
Get Specific Columns Using "With()" Function in Laravel Eloquent
How to Make Pdf File Downloadable in HTML Link
PHP With MySQL 8.0+ Error: the Server Requested Authentication Method Unknown to the Client
What's the Difference Between Isset() and Array_Key_Exists()
Are Arrays in PHP Copied as Value or as Reference to New Variables, and When Passed to Functions
Correctly Determine If Date String Is a Valid Date in That Format
Replacing Accented Characters PHP
What's the Difference Between :: (Double Colon) and -≫ (Arrow) in PHP
Using a .PHP File to Generate a MySQL Dump
Forcing a Simplexml Object to a String, Regardless of Context
Split String by New Line Characters