Jump to content

[SOLVED] Storing and sanitising passwords

mattyvx

By mattyvx
in PHP Coding Help

 Share

Recommended Posts

mattyvx Member

mattyvx

Posted
Posted

To complete a registration the users on my site must have a password. As of yet there is no restricted content for them to log in to and the main reason for me requiring a password is incase the user should

 

a) need to update details

b) want to upload a profile picture so only the account holder can upload a picture for their profile.

 

My questions are;

 

1. What is best practice for sanitising this field, if any.

2. I read something about storing the passwords in a special format for mysql databases (i currently use myPHP admin) can anyone expand / give examples.

 

thanks in advance.

Link to comment
Share on other sites
Daniel0 Advanced Member

Daniel0

Posted
Posted

1. What is best practice for sanitising this field, if any.

 

It depends on what you are going to use the value for. If it's to be used as XML/HTML/XHTML/CSV/SQL/JSON/YAML/MySQL/Oracle/etc., the way you'll sanitize it differs. Even if you say it's MySQL, PHP has three different ways of doing it: the mysql extension, the mysqli (MySQL improved) extension, and the PDO extension. Then within MySQLi/PDO you may choose to use prepared statements or escape things manually.

 

2. I read something about storing the passwords in a special format for mysql databases (i currently use myPHP admin) can anyone expand / give examples.

 

A hashing algorithm and a salt will usually suffice. You could use something like sha256 with hash; that'll be stronger than e.g. md5(). The longer the salt the better as well.

Link to comment
Share on other sites
mattyvx Member

mattyvx

Posted
  • Author
Posted

Ok im kinda out of my depth here. I've just done some googling on what you said and im still not sure;

 

Lets start with basics.

 

The password will be used later on along with a username so a user can access an image upload box. Via query i will identify which user has "logged in" and when they upload an image this image will be renamed after the users unique ID (already setup).

 

The password is captured using a php/html form and then I want to store this value in my database.

 

so;

 

1)Which data type should i set for the password column in my database.

2)Currently im capturing the password with 

$price = cleanString($_POST['Price']);

before it goes into the INSERT sql query. Do i need to encrypt the password before its inserted if so, how?! Will i need to write an "encryption function"?

 

thanks for your patience - perhaps i should note that i currently have this setup and working but im only using a text field client side and varchar serverside and want to improve the security and that the function cleanString runs the my_sql_real_escape and stripslashes.

 

 

 

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted
1. What is best practice for sanitising this field, if any.

Passwords are character data so you sanitize them the way you would any other piece of character data before inserting them into the database.

 

2. I read something about storing the passwords in a special format for mysql databases (i currently use myPHP admin) can anyone expand / give examples.

The "special format" you speak of is password protection, of which there are two types:

1) one-way hashing

2) two-way encryption

 

A hashing function will convert a text-input into a random string.  The length of the random string is predetermined by the hashing function.  For example, and md5 hash is 32 characters (I believe) and a sha1 hash is 40 characters.  Thus the hashing function you choose will determine the field length in your database.  It is impossible to retrieve the original password from a hash.  Therefore a hash is suitable for any situation in which you will never have to re-display the original information.

 

Encryption essentially scrambles the data into what looks like garbage.  There are many different encryption algorithms and strengths at which they can run.  Encryption can be reversed in that you can retrieve the originally encrypted data.  Thus encryption is suitable for data that needs to be protected but possibly re-displayed to a human at a later point in time.  There is no set length for encrypted data; so a varchar field of 32, 64, or 128 chars may be appropriate.  Additionally, encryption functions return binary data, which not all database engines store neatly.  Sometimes it is appropriate (or just plain easier) to base64 encode / decode binary data when inserting / retrieving from the database.

 

Lastly, a salt is a form of protection against dictionary based attacks.  A salt is just a string of random characters that your program will add to the user's password before hashing it.  The purpose of the salt is to change the range of outputs from the hashing function so that attackers can't use pre-built dictionaries to compromise stolen databases.  If that doesn't make any sense to you, that's ok.  Just add a salt anyways.  :)

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted
the function cleanString runs the my_sql_real_escape and stripslashes.

 

I just saw this, hence my new post.

 

I hope you meant addslashes() and not stripslashes().  You should be doing one or the other, but not both.  Anyways, mysql_real_escape_string() is sufficient for escaping data to be inserted into your MySQL database.  No other function is necessary when inserting or updating data.

Link to comment
Share on other sites
mattyvx Member

mattyvx

Posted
  • Author
Posted

I hope you meant addslashes() and not stripslashes()....

 

Yes i should have explained further. The stipslashes is only called if magic_quotes is on. Then the string is escaped regardless.

 

I understand, thats what I thought i needed to do but I wanted to be sure. For my purposes i'd probably say encryption is the more suitable of the two methods.

 

I'm not afriad to "get my hands dirty" for want off a better phrase and research encoding functions but if you could either provide an example of the layout / function or direct me to a decent site which covers the topic then i'd be happy to follow that up.

 

Id imagine it would look something like;

 

$price = cleanString($_POST['Price']); 

encryptionfunction($price);

//then insert the result 

$insert = "INSERT $Price INTO..........."

 

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.