jaykappy

Got it all to work....sorry for the confusing emails...was a bit confused if you cant tell... But way easy...works great...now just have to do some testing of the COST option... Last question....what would be the reason to manually create the SALT? Is it still secure and ok to use the default on this? Thank you for your time and patience....very appreciated....Cheers

Thanks....seems pretty simple...so I take it, since I am not on 5.5, I would have to install a php file...then modify the php.ini file? Not really sure what the deal is with that. Thoughts? Thanks again for your time and patience. I go to the website below and cant find the download for the file? There is a compatibility pack available for PHP versions 5.3.7 and later, so you don't have to wait on version 5.5 for using this function. It comes in form of a single php file: https://github.com/i...password_compat

Thanks....reason i was talking about updating my version was: I am trying to implement 'password_compat' to hash passwords and with my current version i think i need the below mentioned php file...not sure how to install that, or get that going... 1. put the file somewhere? 2. reference it in phpl.ini? Can you shed some light on that? There is a compatibility pack available for PHP versions 5.3.7 and later, so you don't have to wait on version 5.5 for using this function. It comes in form of a single php file: https://github.com/ircmaxell/password_compat

oh yea....but is there not a version 5.5 that I can upgrade to? simply update through IIS PHP manager? WIll if cause issues with current projects?

I read this and it is starting to make sense..... https://wiki.php.net/rfc/password_hash Proper Version of PHP needed NO need to store SALT Seems the testing is quite easy. Last question...the post that Stryder posted with the code.....is that the PHP code that i need? Simply paste that into a php page and call it? THanks

I guess if all I have to do is copy that code into a php page and call it...I am curious how to do that... a. Making sure I am at proper PHP version... b. Copy the code from Strider into a PHP page??? 1. Call the Function to create a Hash...do i need to store the Salt in my table as well? 2. How to properly call the Function Verify to test a password...does it return true false?

......................................................

with recommendation of trq and strider64 ...I was looking into using 'password_compat' to handle my password hashing. I noticed that I was still using PHP 5.3.19 and 'password_compat' requires 5.3.7.... I assume that any newer version will work just fine? What is my best practice for updating my PHP version. Will this interfere with anything I already am running on my website? I think that I simply need to download the newer version then in IIS Manager under PHP setup click 'register new PHP version' and point to the new exe? Any help on doing this update would be appreciated. Thanks

First off thanks. 1. So if I was to use password_compat i could do away with the SALT that I was using...and just push the user defined password to: and be done with it... 2. But what if I give the user the ability to change their password...do I simply run it through this again? recreating a new password? $hash = password_hash($password, PASSWORD_BCRYPT);

I was using MD5 to encrypt my password in testing. I am not trying to move to Hash and Salt...read a bit about it and it sort of makes sense...some of it goes right over my head. I am working from the example below...I have a password field and a salt field which get populated... Questions: 1. Is this a viable option..before I invest time to get it working I want to know if this is something that is going to be around for a while... 2. Seeing the example below...is there something else I can add to increase security? Wondering if this was just an overview of using a salt, thus not a very effective solution Thanks if(!empty($_POST['password'])) { $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); $password = hash('sha256', $_POST['password'] . $salt); for($round = 0; $round < 65536; $round++) { $password = hash('sha256', $password . $salt); } } else { // If the user did not enter a new password we will not update their old one. $password = null; $salt = null; } // Initial query parameter values $query_params = array( ':email' => $_POST['email'], ':user_id' => $_SESSION['user']['id'], ); // If the user is changing their password, then we need parameter values // for the new password hash and salt too. if($password !== null) { $query_params[':password'] = $password; $query_params[':salt'] = $salt; } // Note how this is only first half of the necessary update query. We will dynamically // construct the rest of it depending on whether or not the user is changing // their password. $query = " UPDATE users SET email = :email "; // If the user is changing their password, then we extend the SQL query // to include the password and salt columns and parameter tokens too. if($password !== null) { $query .= " , password = :password , salt = :salt "; } // Finally we finish the update query by specifying that we only wish to update the one record with for the current user. $query .= " WHERE id = :user_id "; // Execute the query $stmt = $db->prepare($query); $result = $stmt->execute($query_params);

I tried to edit my post above but could not....I switched to this for testing the password $posted_password = $_POST['password']; if (isset($posted_password) AND $posted_password != ''){ instead of if(!empty($posted_password)){ Thoughts? Thanks

First off Thank you very much for your help and patience...it is greatly appreciated...green here and it shows but catching on... As for creating the Query as a string...I thought I was still doing that BUT in three parts. ( using the $query .= " I am able to bring all three parts together )..in the second I am testing to see if there was a password modifications (ie something in the textbox) if so include it in the Query string...if not then don't reference it. I dont know of any other way to do this....BUT in the end I concatenate all 3 pieces and create one String Query. Not using the While loop with the Array makes perfect sense seeing that I am only looking for one record and not even testing for more than one anyways...pointless... Removing the While loop and For Loop makes perfect sense and referencing the return values with $user['user_id'] works great... I thank you...was able to clean my code up quite a bit....really starting to see the bigger picture here...slow moving as I dont get a ton of time to devote to this....just minutes here and there.... Last question....if the below is NOT GOOD practice....then what should I test for....assuming that my textbox on the form is empty to start with...I need to test to see if they placed a value in there or not...Maybe test for "Length > x", maybe adding htmlentities as well if(!empty($_POST['password'])){ Thank you very much for your help and guidance...very appreciated.

This is all my code I am using... 1. For some reason I cannot get the Session User email with this? $_SESSION['user']['email']; I had to run a query to grab the user info with this function... I start with getting the SESSION user id, name etc. Then use the code below to do a few validations etc... then while building the Query I test if the Password is blank, if so dont include that in the query as the user did not specify they wanted it changed... I think things are working....although a bit chaotic ... Anyone see anything that Could be doing better or security issues? besides the md5...will get to that later Function getuser($getuser){ $getuser = mysql_real_escape_string($getuser); $user = array(); $user_query = mysql_query("SELECT `user_id`, `name`, `email` FROM `users` WHERE `user_id`=".$_SESSION['user_id'].""); While ($user_row = mysql_fetch_assoc($user_query)){ $user[] = array( 'userid' => $user_row['user_id'], 'user_name' => $user_row['name'], 'user_email' => $user_row['email'] ); } return $user; } $user = getuser($getuser); //// loop through array and return values foreach ($user as $individual){ } $email = $individual['user_email']; $user_id = $individual['userid']; if(!empty($_POST)) { $user_email = $_POST['email']; $errors = array(); // VALIDATE EMAIL FORMAT if (filter_var($user_email, FILTER_VALIDATE_EMAIL) === false){ $errors[] = 'Email not valid'; } // MAKE SURE VALUE EXISTS if (empty($user_email)){ $errors[] = 'you need an email address'; } if($_POST['email'] != $email) { if (user_exists($user_email) === true){ $errors[] = 'user already exists'; } } //// SET PASSWORD VARIABLE IF PASSWORD CHANGING if(!empty($_POST['password'])){ $password = $_POST['password']; } else { // If the user did not enter a new password we will not update their old one. $password = null; } // display errors if exist, else modify the user if (!empty($errors)){ foreach ($errors as $error){ echo $error, '<br />'; } }else{ $email = mysql_real_escape_string($user_email); $password = md5($password); $query = " UPDATE users SET email = '{$email}' "; //// If the user is changing their password, then we extend the SQL query to include the password. if(empty($_POST['password'])){ echo 'EMPTY PASSWORD'; } else { $query .= " , password = '{$password}' "; } // Finally we finish the update query by specifying that we only wish to update the one record with for the current user. $query .= " WHERE `user_id` = {$_SESSION['user_id']} "; $result = mysql_query($query); if(!$result){ //Query failed echo "Query failed!<br>Query: {$query}<br>Error: " . mysql_error(); } elseif(!mysql_affected_rows()){ //No record was updated echo "No records updated!<br>Query: {$query}"; }else{ //Record was updated echo 'successful update'; echo $user_email; echo $password; $_SESSION['user']['email'] = $_POST['email']; echo $_SESSION['user']['email']; } } }

Thanks everyone...I am trying this and seem to be hitting snags...syntax I assume... Doing this so I can test if the password has been modified? If not then dotn include in Query string $query = " UPDATE users SET email = '{$email}' "; // If the user is changing their password, then we extend the SQL query to include the password and salt columns and parameter tokens too. if($password !== null) { $query .= " , password = '{$password}' "; } // Finally we finish the update query by specifying that we only wish to update the one record with for the current user. $query .= " WHERE user_id = {$_SESSION['user_id']} ";

Trying to update a record...I dont get any errors but no update happening...Can anyone see anything standing out? I can post more code if need be. echo 'successful update'; echo $user_email; echo $password; $email = mysql_real_escape_string($user_email); $password = mysql_real_escape_string($password); mysql_query("UPDATE users SET email='$email' password='.md5($password)' WHERE `user_id`=".$_SESSION['user_id']." "); $_SESSION['user']['email'] = $_POST['email']; echo $_SESSION['user']['email'];