rondog Posted March 3, 2011 Share Posted March 3, 2011 I've never done salting before. Usually just use md5, but the rainbow tables kinda scare me. Anyway, I read up a little on salting and does this look right?..right meaning effective Also, my salt string, is it case sensitive when I crypt it? <?php if (isset($_POST['submit'])) { $salt = "someStringThatonlYYiWillKnow!"; $username = stripslashes(mysql_real_escape_string(strtolower($_POST['username']))); $password = stripslashes(mysql_real_escape_string(md5($_POST['password']))); $ePass = crypt($password,$salt); $query = mysql_query("SELECT active,username,password FROM usernames WHERE username = '" . $username . "' AND password = '" . $ePass . "'") or die(mysql_error()); $num = mysql_num_rows($query); if ($num == 1) { $result = mysql_fetch_array($query); if ($result['active'] == 'yes') { $_SESSION['user']['username'] = $result['username']; $_SESSION['user']['authed'] = true; header("Location: main.php"); } else { $error = " <div class=\"notification information\"> <div>We located your account, however, it has not been activated by an admin yet.</div> </div>"; } } else { $error = " <div class=\"notification error\"> <div>Invalid Username / Password.</div> </div>"; } } ?> Link to comment https://forums.phpfreaks.com/topic/229507-is-this-a-proper-use-of-salt/ Share on other sites More sharing options...
johnny86 Posted March 3, 2011 Share Posted March 3, 2011 You should specify what type of algorithm you are using: If Sha512 is supported then you'd start your salt with $6$rounds=5000$ where $6$ will tell crypt to use sha512 and rounds=5000$ will tell how many loops crypt should use. For Sha512 you need a 16 character long salt. And preferrably use random salt generation so the salts will always be different. In addition use random loop count too. When you crypt your password use: crypt($pw, $salt); and insert into your db. When you fetch your password from db use it like this: if(crypt($user_input, $pw_from_db) === $pw_from_db) { // Passwords match } Crypt will automatically extract the salt from the crypted password. You should also look into http://www.openwall.com/phpass/ for easy and well implemented password crypting. Link to comment https://forums.phpfreaks.com/topic/229507-is-this-a-proper-use-of-salt/#findComment-1182455 Share on other sites More sharing options...
rondog Posted March 3, 2011 Author Share Posted March 3, 2011 excellent thanks for that link Link to comment https://forums.phpfreaks.com/topic/229507-is-this-a-proper-use-of-salt/#findComment-1182472 Share on other sites More sharing options...
cunoodle2 Posted March 3, 2011 Share Posted March 3, 2011 Looks like you have this pretty well down. Can I suggest that you look into using php PDO statements to make your SQL items more secure? It should be something you are working towards. Otherwise looking pretty good. Link to comment https://forums.phpfreaks.com/topic/229507-is-this-a-proper-use-of-salt/#findComment-1182483 Share on other sites More sharing options...
Pikachu2000 Posted March 3, 2011 Share Posted March 3, 2011 Do you realize that you will undo mysql_real_escape_string() by doing this without checking for magic_quotes_gpc()? Also there's no reason to escape a value that will be hashed, and in some cases it can be detrimental to do so. $username = stripslashes(mysql_real_escape_string(strtolower($_POST['username']))); $password = stripslashes(mysql_real_escape_string(md5($_POST['password']))); Make it: if( get_magic_quotes_gpc() ) { $username = mysql_real_escape_string(stripslashes(strtolower($_POST['username']))); } else { $username = mysql_real_escape_string(strtolower($_POST['username'])); } $password = md5($_POST['password']); Link to comment https://forums.phpfreaks.com/topic/229507-is-this-a-proper-use-of-salt/#findComment-1182491 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.