booxvid Posted August 15, 2012 Share Posted August 15, 2012 How to have password encryption and password salting in your login? Link to comment https://forums.phpfreaks.com/topic/267135-how-to-add-password-security/ Share on other sites More sharing options...
xyph Posted August 15, 2012 Share Posted August 15, 2012 Check out the article in my signature. It's very in-depth, up to date, and the methods used are very secure. Link to comment https://forums.phpfreaks.com/topic/267135-how-to-add-password-security/#findComment-1369676 Share on other sites More sharing options...
booxvid Posted August 15, 2012 Author Share Posted August 15, 2012 I already had this snippet code in adding users if(isset($_POST['add_user'])){ $passw = trim(htmlentities($_POST['password'])); $encrypted = enc_salt($passw); $con = "true"; $sql = "SELECT * FROM users WHERE username='".$_POST['user_name']."'"; $result = $database->query($sql); $row = $database->fetch_array($result); if($row!=""){ $con="false"; } if($con!="false"){ $sql = "INSERT INTO photo_gallery.users (username, password, first_name, last_name)"; $sql .= " VALUES ('".trim(htmlentities($_POST['user_name']))."','".$encrypted."', '".trim(htmlentities($_POST['first_name']))."', '".trim(htmlentities($_POST['last_name']))."')"; $result_set = $database->query($sql); echo '<script type="text/javascript">alert("Account Created!");</script>';} else{ echo '<script type="text/javascript">alert("This username already exist!");</script>'; } } where my function enc_salt is: function enc_salt($string){ //encrypting $pass_word = sha1($string); $salt = md5("user"); $pepper = "cxlkdawpoalsk"; $pass_encrypted = $salt.$pass_word.$pepper; return $pass_encrypted; } my problem right now is when it's time the user login to the website. Link to comment https://forums.phpfreaks.com/topic/267135-how-to-add-password-security/#findComment-1369703 Share on other sites More sharing options...
xyph Posted August 15, 2012 Share Posted August 15, 2012 That's not a very strong hashing algorithm. Again, you should check out the article in my signature. Link to comment https://forums.phpfreaks.com/topic/267135-how-to-add-password-security/#findComment-1369705 Share on other sites More sharing options...
krash11554 Posted August 15, 2012 Share Posted August 15, 2012 I think you would take what the user puts in the password field when logging in and do the same encryption you did when the user registers and then compare the two passwords. Link to comment https://forums.phpfreaks.com/topic/267135-how-to-add-password-security/#findComment-1369706 Share on other sites More sharing options...
booxvid Posted August 15, 2012 Author Share Posted August 15, 2012 That's not a very strong hashing algorithm. Again, you should check out the article in my signature. Yeah, but for the meantime I would like to fix the error that I made from my program Link to comment https://forums.phpfreaks.com/topic/267135-how-to-add-password-security/#findComment-1369720 Share on other sites More sharing options...
booxvid Posted August 15, 2012 Author Share Posted August 15, 2012 I think you would take what the user puts in the password field when logging in and do the same encryption you did when the user registers and then compare the two passwords. I already do the same method but it isn't successful. Link to comment https://forums.phpfreaks.com/topic/267135-how-to-add-password-security/#findComment-1369721 Share on other sites More sharing options...
Christian F. Posted August 15, 2012 Share Posted August 15, 2012 "In the meantime", as in "while you're reading that article and absorbing its knowledge", don't do anything with your script. If you've pushed it to production, take it down. Once you've read and understood the article, then go back and fix the script before uploading it again. If you don't, then you're only causing problems for yourself and (what's worse) your users. Link to comment https://forums.phpfreaks.com/topic/267135-how-to-add-password-security/#findComment-1369736 Share on other sites More sharing options...
maxudaskin Posted August 15, 2012 Share Posted August 15, 2012 I already had this snippet code in adding users if(isset($_POST['add_user'])){ $passw = trim(htmlentities($_POST['password'])); $encrypted = enc_salt($passw); $con = "true"; $sql = "SELECT * FROM users WHERE username='".$_POST['user_name']."'"; $result = $database->query($sql); $row = $database->fetch_array($result); if($row!=""){ $con="false"; } if($con!="false"){ $sql = "INSERT INTO photo_gallery.users (username, password, first_name, last_name)"; $sql .= " VALUES ('".trim(htmlentities($_POST['user_name']))."','".$encrypted."', '".trim(htmlentities($_POST['first_name']))."', '".trim(htmlentities($_POST['last_name']))."')"; $result_set = $database->query($sql); echo '<script type="text/javascript">alert("Account Created!");</script>';} else{ echo '<script type="text/javascript">alert("This username already exist!");</script>'; } } where my function enc_salt is: function enc_salt($string){ //encrypting $pass_word = sha1($string); $salt = md5("user"); $pepper = "cxlkdawpoalsk"; $pass_encrypted = $salt.$pass_word.$pepper; return $pass_encrypted; } my problem right now is when it's time the user login to the website. Very ineffective salting method. Try this: function enc_salt($password) { $salt = 'somerandomecharacters1646#s@0-2 da2e/5ad+'; return md5($password . $salt); } Link to comment https://forums.phpfreaks.com/topic/267135-how-to-add-password-security/#findComment-1369744 Share on other sites More sharing options...
xyph Posted August 16, 2012 Share Posted August 16, 2012 Very ineffective salting method. Try this: function enc_salt($password) { $salt = 'somerandomecharacters1646#s@0-2 da2e/5ad+'; return md5($password . $salt); } Yours is ineffective as well. Salts should be random and unique per user. Link to comment https://forums.phpfreaks.com/topic/267135-how-to-add-password-security/#findComment-1369752 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.