How to use password hashing with PDO to make my code more secure?

Question

How to use password hashing with PDO to make my code more secure?

My code really works, but it is not protected at all, I do not want to use MD5, because it is not all that safe. I was looking for password hashing, but I'm not sure how to include it in my code.

Login:

require_once __DIR__.'/config.php'; session_start(); $dbh = new PDO('mysql:host=' . DB_HOST . ';dbname=' . DB_USERNAME, DB_USERNAME, DB_PASSWORD); $sql = "SELECT * FROM users WHERE username = :u AND password = :p"; $query = $dbh->prepare($sql); // prepare $params = array(":u" => $_POST['username'], ":p" => $_POST['password']); $query->execute($params); // execute $results = $query->fetchAll(); // then fetch //hash passwords pls if (count($results) > 0 ){ $firstrow = $results[0]; $_SESSION['username'] = $firstrow['username']; echo "Hello $username you have successfully logged in"; //header ("location:.php"); } else{ echo "Login Has Failed"; return; }

Registration:

 $dbh = new PDO('mysql:host=' . DB_HOST . ';dbname=' . DB_USERNAME, DB_USERNAME, DB_PASSWORD); $username = $_POST["username"]; $email = $_POST["email"]; $password = $_POST["password"]; $stmt = $dbh->prepare("insert into users set username='".$username."', email='".$email."', password='".$password."' "); $stmt->execute(); echo "<p>Thank you, you are registered</p>";

Can someone show me how to include it in the code I have?

0

security php mysql pdo password-hash

stark Apr 21 '15 at 16:11

source share

3 answers

About how to make the code more secure :

You should ALWAYS check user records, even with the POST method, which you can change with firebug before submitting the form. Since you are inserting user input into the query , this is much more important.

About your question at all

As I advised you in a comment, use PHPass or already created APIs that will do the job for you.

You will provide a username, password, and salt during account creation and insert the hash into the database.

At authentication time, you will regenerate the hash with the specified login + password and the information you added to generate the salt.

If both generated hashes match, the user is authenticated.

EDIT: Yes, the password is also good.

+2

Answers_Seeker Apr 21 '15 at 16:35

source share

Basically, you have two options that vary in complexity:

Store the hash of the user's registered password using the hash algorithm of your choice (more on this later).
create a random salt (permanent, secret line) that will be used with the user's password to create a hash as described above, and then save this hash in the database.

When you retrieve a user record, you compare the hash computed from the provided password with the hash stored in the database.

Example:

 $HashedPass = hash('sha512', $password);

or with the predefined SALT:

 $HashedPass = hash('sha512', $password.SALT_STRING);

Save this in the database as before.

Authentication is performed similarly:

 $HashedPass = hash('sha512', $password.SALT_STRING);

and then get from the database based on this hash comparison with the saved one.

Now I would like to dwell on your problems with Hash algorithms: You do not need to use md5, you can also use more secure hash algorithms, see Comment here: PHP hash function One of the suggestions is to use sha512 algorithm.

Most importantly, you should understand that a hash is a one way conversion - there is no practical way to reverse engineer the original password only from the hash, perhaps only find alternative strings that produce the same hash string.

I hope you find that you use a strong Hash algorithm along with salt to mitigate the damage of a stolen Hash DB that is suitable enough for your needs.

-1

Carmageddon Apr 21 '15 at 16:40

source share

ircmaxell · Accepted Answer · 2015-04-21T16:47:01+0000

Just use the library. Jokes aside. They exist for some reason.

PHP 5.5+: use password_hash()
PHP 5.3.7+: use password-compat (compatibility package above)
Everyone else: use phpass

Do not do it yourself. If you create your salt, YOU ARE WRONG. . You should use a library that handles this for you.

 $dbh = new PDO(...); $username = $_POST["username"]; $email = $_POST["email"]; $password = $_POST["password"]; $hash = password_hash($password, PASSWORD_DEFAULT); $stmt = $dbh->prepare("insert into users set username=?, email=?, password=?"); $stmt->execute([$username, $email, $hash]);

And when logging in:

 $sql = "SELECT * FROM users WHERE username = ?"; $stmt = $dbh->prepare($sql); $result = $stmt->execute([$_POST['username']]); $users = $result->fetchAll(); if (isset($users[0]) { if (password_verify($_POST['password'], $users[0]->password) { // valid login } else { // invalid password } } else { // invalid username }

How to use password hashing with PDO to make my code more secure?

More articles: