rondog Posted March 3, 2011 Share Posted March 3, 2011 I've never done salting before. Usually just use md5, but the rainbow tables kinda scare me. Anyway, I read up a little on salting and does this look right?..right meaning effective Also, my salt string, is it case sensitive when I crypt it? <?php if (isset($_POST['submit'])) { $salt = "someStringThatonlYYiWillKnow!"; $username = stripslashes(mysql_real_escape_string(strtolower($_POST['username']))); $password = stripslashes(mysql_real_escape_string(md5($_POST['password']))); $ePass = crypt($password,$salt); $query = mysql_query("SELECT active,username,password FROM usernames WHERE username = '" . $username . "' AND password = '" . $ePass . "'") or die(mysql_error()); $num = mysql_num_rows($query); if ($num == 1) { $result = mysql_fetch_array($query); if ($result['active'] == 'yes') { $_SESSION['user']['username'] = $result['username']; $_SESSION['user']['authed'] = true; header("Location: main.php"); } else { $error = " <div class=\"notification information\"> <div>We located your account, however, it has not been activated by an admin yet.</div> </div>"; } } else { $error = " <div class=\"notification error\"> <div>Invalid Username / Password.</div> </div>"; } } ?> Quote Link to comment Share on other sites More sharing options...
johnny86 Posted March 3, 2011 Share Posted March 3, 2011 You should specify what type of algorithm you are using: If Sha512 is supported then you'd start your salt with $6$rounds=5000$ where $6$ will tell crypt to use sha512 and rounds=5000$ will tell how many loops crypt should use. For Sha512 you need a 16 character long salt. And preferrably use random salt generation so the salts will always be different. In addition use random loop count too. When you crypt your password use: crypt($pw, $salt); and insert into your db. When you fetch your password from db use it like this: if(crypt($user_input, $pw_from_db) === $pw_from_db) { // Passwords match } Crypt will automatically extract the salt from the crypted password. You should also look into http://www.openwall.com/phpass/ for easy and well implemented password crypting. Quote Link to comment Share on other sites More sharing options...
rondog Posted March 3, 2011 Author Share Posted March 3, 2011 excellent thanks for that link Quote Link to comment Share on other sites More sharing options...
cunoodle2 Posted March 3, 2011 Share Posted March 3, 2011 Looks like you have this pretty well down. Can I suggest that you look into using php PDO statements to make your SQL items more secure? It should be something you are working towards. Otherwise looking pretty good. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted March 3, 2011 Share Posted March 3, 2011 Do you realize that you will undo mysql_real_escape_string() by doing this without checking for magic_quotes_gpc()? Also there's no reason to escape a value that will be hashed, and in some cases it can be detrimental to do so. $username = stripslashes(mysql_real_escape_string(strtolower($_POST['username']))); $password = stripslashes(mysql_real_escape_string(md5($_POST['password']))); Make it: if( get_magic_quotes_gpc() ) { $username = mysql_real_escape_string(stripslashes(strtolower($_POST['username']))); } else { $username = mysql_real_escape_string(strtolower($_POST['username'])); } $password = md5($_POST['password']); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.