All geek questions in one place

Insert password hash using prepared PDO messages

In the mysql base insert, you can set the password variable "PASSWORD ($ password)", but this violates the PDO statement.

How do you use a password when using pdo :: prepare and pdo :: execute?

$sql= "INSERT INTO contractors (userid, password, name) VALUES ('$userid', '$pass1', '$name')";
$result = $dbh->prepare($sql);
$count = $result->execute();

Echo $count."<br>";

I'm so n00b, a simple registration page took me two days. Responses to kindergartens are welcome.

thanks,

+3
source share
5 answers

If you want to use the hash using MD5, you can do the following with a password before creating the SQL statement:

$pass1 = md5($pass1);
$sql = "INSERT INTO contractors ( userid, password, name ) VALUES ( '$userid', '$pass1', '$name' )";
$result = $dbh->prepare($sql);
$count = $result->execute();

echo $count."<br>";

The idea is the same even if it is a different hash function. Hash the password before creating the SQL statement.

Fiarr VoteyDisciple , SHA , .

sha1()

0

. , , . , SO.

PDO, :

$sql= "INSERT INTO contractors (userid, password, name) VALUES (?, ?, ?)";
$result = $dbh->prepare($sql);
$count = $result->execute(array($userid, $pass1, $name));

echo $count."<br>";

Blowfish/bcrypt MD5 SHA1. PHP 5.3 crypt $2y$. PHP 5.5 password_hash. ircmaxell password_compat library .

crypt . , . , , .

$salt = 'saltysaltsaltsalt'; 
$password_hash = crypt($pass1, '$2a$07$' . $salt);
$sql= "INSERT INTO contractors (userid, password, salt, name) VALUES (?, ?, ?, ?)";
$result = $dbh->prepare($sql);
$count = $result->execute(array($userid, $password_hash, $salt, $name));

echo $count."<br>";

, .

$sth = $dbh->prepare('SELECT password, salt FROM contractors WHERE userid = ?');
$sth->execute(array($userid));
list($existing_hash, $salt) = $sth->fetch(PDO::FETCH_NUM);
unset($sth);

$new_hash = crypt($pass1, '$2a$07$' . $salt);
if($new_hash === $existing_hash) {
    echo "Password matched.";
} else {
    echo "Password did not match.";
}
+14
<?php
try {
  $dbh = new PDO("mysql:host=$hostname;dbname=$dbname", $username, $password);
  $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
  $stmt = new PDOStatement();

  $hash = sha1($pass . $dataUniqueToEachUser);
  $stmt = $dbh->prepare("INSERT INTO Users(name, email, hash) VALUES (:name, :email, :hash)");
  $stmt->bindParam(':name', $_POST['username'], PDO::PARAM_STR);
  $stmt->bindParam(':email', $_POST['email'], PDO::PARAM_STR);
  $stmt->bindParam(':hash', $hash, PDO::PARAM_STR);
  $stmt->execute();

  if ($stmt->rowCount() == 0) {
   $valid = true;
  }
}
catch (PDOException $e) {
  echo "An error occurred: {$e}";
}
?>
+1

, SQL-, $userid .

PDO ( , .prepare):

$sql = "INSERT INTO contractors (userid, password, name) VALUES (?, PASSWORD(?), ?)";
$query = $dbh->prepare($sql);
$dbh->execute(array($userid, $pass1, $name));

, PASSWORD(). , , . MySQL (), - :

$sql = "INSERT INTO contractors (userid, password, name) VALUES (?, ?, ?)";
$query = $dbh->prepare($sql);
$dbh->execute(array($userid, sha1($hashed), $name));

:

$hashed = sha1("SaltedPassword" . $pass1);
0

, , (, , ). , oppinion, , , , :

$pass1 = sha1($pass1.$name);

Note: md5, as suggested above, is not the best solution, since there are currently many online databases with keywords related to md5 hash variables, which makes it easier for those who want to hack your system.

-1
source

Source: https://habr.com/ru/post/1716952/

More articles:


All Articles