Salt Generation - Quick Question

[Mko]

Hey all,

I currently have salts being generated. After a salt is generated, I escape the quotes and \ using mysqli_real_escape_string, and then input them into the database.

 

However, I recently ran 100 generations to see the amount of ' " \ that were generated.

http://paste2.org/p/2128924

 

As you can see, ' becomes \', " becomes \", and \ becomes \\.

 

However, my question is how would these extra \ affect loading from the database? Meaning, if I have an external file that were to hash the passwords (using the salt in the database), would any error occur, or would PHP automatically remove the \ when it is being called? After the hashing is complete, would a user be able to log-in without problem, or would they be denied access because their salt contains extra \?

 

 

Thanks for any and all help,

Mark

[Jet4Fire]

When you take password hash with ascaped quotes from file use "stripslashes" function (php.net/manual/en/function.stripslashes.php)

[Christian F.]

If the above values are from before inserting into the database, then everything is as it should be and you can (and should) ignore Jet4Fire's suggestion. In fact, in this case his suggestion would undo the escaping, and leave your script open for SQL injections again.

Do note that mysqli_real_escape_string () should only be used directly before using a value in an SQL query, and as such only be saved in that completed query itself. As the escaping makes it unfit to be used anywhere else.

 

If you're unsure about why mysqli_real_escape_string () does what it does, then I recommend reading up on it in the manual and/or other sites which explains output escaping for databases.

[xyph]

Whatever you're using to generate your salt is overkill.

 

A salt must be unique, and that's about it. It's not supposed to be a secret. Something like

 

$salt = md5(uniqid($username,true));

 

Is more than enough.