Encryption

[newuser1978]

Hi Guys

 

I am fairly new to php, I am trying to build a registration form but I am struggling with encrypting the password (I will also be salting the password at a later stage to make it more secure).

 

The below line of code encrypts the password but saves the values as the values states in the code e.g password saves as 'pass'

 

$q = "INSERT INTO users (first_name,last_name,email,pass,registration_date) VALUES ('first_name','last_name','email', SHA1('pass'), NOW())";

 

The below code saves all the values that the user inputs xcept the password which is blank and the message 'Undefined index: SHA1('pass')' is returned

 

$q = "INSERT INTO users (first_name,last_name,email,pass,registration_date) VALUES ('".$_POST["first_name"]."','".$_POST["last_name"]."','".$_POST["email"]."','".$_POST["SHA1('pass')"]."', NOW())";

 

I am hoping someone may be able to help me as I have no idea how to fix this. Thank you in advance

[Jacques1]

SHA-1 is awful for hashing passwords. Even an old graphics card can calculate around 3 billion(!) SHA-1 hashes per second, so finding out the passwords of your users is trivial.

 

And, no, “salting” doesn't help. Whoever told you that SHA-1 is an acceptable password hash algorithm either doesn't know what he's doing or lied to you on purpose.

 

Your code is also wide open to SQL injections, because you happily dump the user input into the query string, allowing anybody to write their own queries. Never heard of Little Bobby Tables?

 

So you have quite a lot of work ahead of you. The first thing you should do is avoid crap resources and stick to professional programmers who actually know PHP. For example, Padraic Brady is a well-known security expert. See also this thread about password hashes.

[NotionCommotion]

SHA-1 is awful for hashing passwords. Even an old graphics card can calculate around 3 billion(!) SHA-1 hashes per second, so finding out the passwords of your users is trivial.

 

And, no, “salting” doesn't help. Whoever told you that SHA-1 is an acceptable password hash algorithm either doesn't know what he's doing or lied to you on purpose.

 

Your code is also wide open to SQL injections, because you happily dump the user input into the query string, allowing anybody to write their own queries. Never heard of Little Bobby Tables?

 

So you have quite a lot of work ahead of you. The first thing you should do is avoid crap resources and stick to professional programmers who actually know PHP. For example, Padraic Brady is a well-known security expert. See also this thread about password hashes.

 

Ha ha,  I saw the original post, and new you couldn't resist!

[newuser1978]

Thanks for your answer but I am learning PHP and MYSQL and need to know where I am going wrong. This is not to be used in a live application and my intention is to build in protection for XSS attacks and mysql injections. I have to start somewhere!

 

I would really appreciate it if anyone can show me where I am going wrong.

 

Thanks

[Jacques1]

I just told you what's wrong and what you need to do. Those blue underlined words are links, you need to click on them.

 

If you have specific questions about the links, feel free to ask. But we can't do the reading for you.

[newuser1978]

If you think that is help you are deluded. I will not be using this site again as you are all clearly not nice people. All I wanted was a bit of help!

[NotionCommotion]

If you think that is help you are deluded. I will not be using this site again as you are all clearly not nice people. All I wanted was a bit of help!

 

Well, I'm kinda nice.

 

For hashing, I used to use http://www.openwall.com/phpass/, however, now think http://php.net/manual/en/function.password-hash.php is preferred.

 

In regards to Jacques comments about injection, addressing is VERY important.  Your current approach can allow someone to easily delete your entire database, or worse.  For an easy fix, look into PDO and prepared statements.

 

 

[Jacques1]

If you think that is help you are deluded. I will not be using this site again as you are all clearly not nice people.

 

Yeah, good luck finding “help” with that attitude.

[sasa]

change

 $_POST["SHA1('pass')"] to SHA1($_POST['pass'])

[bsmither]

This literal string (part of the entire string) is what you will be sending to the database:

"VALUES ('first_name','last_name','email', SHA1('pass'), NOW())"

 

The SHA1() and NOW() are real MySQL functions. So, SHA1('pass') will have the MySQL database engine use the string literal pass and make a 160-bit checksum from it.

 

Now, you are wanting to use $_POST['pass'] instead of pass. So, let's try:

SHA1('" . $_POST['pass'] . "'),

[Jacques1]

Guys, please.

 

I understand that you all just want to help, but the replies are getting worse and worse. Do you honestly suggest that the OP should drop raw POST values into the query string and use SHA-1 to hash passwords? Have you never heard of things like SQL injections and brute-force attacks?

[QuickOldCar]

I agree with Jacques1 100%

He gave the perfect response.

If someone doesn't want to follow good advice and get offended....is their loss.

[bsmither]

Stipulated that there is worth to good advice. Everyone should be glad it was given.

 

But I do not know the whole picture. I have no context, no history. I am not his mother, nor his priest.

 

I cannot determine what he will do with the answer, nor judge him for asking for it.