newuser1978 Posted November 26, 2014 Share Posted November 26, 2014 Hi Guys I am fairly new to php, I am trying to build a registration form but I am struggling with encrypting the password (I will also be salting the password at a later stage to make it more secure). The below line of code encrypts the password but saves the values as the values states in the code e.g password saves as 'pass' $q = "INSERT INTO users (first_name,last_name,email,pass,registration_date) VALUES ('first_name','last_name','email', SHA1('pass'), NOW())"; The below code saves all the values that the user inputs xcept the password which is blank and the message 'Undefined index: SHA1('pass')' is returned $q = "INSERT INTO users (first_name,last_name,email,pass,registration_date) VALUES ('".$_POST["first_name"]."','".$_POST["last_name"]."','".$_POST["email"]."','".$_POST["SHA1('pass')"]."', NOW())"; I am hoping someone may be able to help me as I have no idea how to fix this. Thank you in advance Quote Link to comment https://forums.phpfreaks.com/topic/292731-encryption/ Share on other sites More sharing options...
Jacques1 Posted November 26, 2014 Share Posted November 26, 2014 SHA-1 is awful for hashing passwords. Even an old graphics card can calculate around 3 billion(!) SHA-1 hashes per second, so finding out the passwords of your users is trivial. And, no, “salting” doesn't help. Whoever told you that SHA-1 is an acceptable password hash algorithm either doesn't know what he's doing or lied to you on purpose. Your code is also wide open to SQL injections, because you happily dump the user input into the query string, allowing anybody to write their own queries. Never heard of Little Bobby Tables? So you have quite a lot of work ahead of you. The first thing you should do is avoid crap resources and stick to professional programmers who actually know PHP. For example, Padraic Brady is a well-known security expert. See also this thread about password hashes. Quote Link to comment https://forums.phpfreaks.com/topic/292731-encryption/#findComment-1497748 Share on other sites More sharing options...
NotionCommotion Posted November 26, 2014 Share Posted November 26, 2014 SHA-1 is awful for hashing passwords. Even an old graphics card can calculate around 3 billion(!) SHA-1 hashes per second, so finding out the passwords of your users is trivial. And, no, “salting” doesn't help. Whoever told you that SHA-1 is an acceptable password hash algorithm either doesn't know what he's doing or lied to you on purpose. Your code is also wide open to SQL injections, because you happily dump the user input into the query string, allowing anybody to write their own queries. Never heard of Little Bobby Tables? So you have quite a lot of work ahead of you. The first thing you should do is avoid crap resources and stick to professional programmers who actually know PHP. For example, Padraic Brady is a well-known security expert. See also this thread about password hashes. Ha ha, I saw the original post, and new you couldn't resist! Quote Link to comment https://forums.phpfreaks.com/topic/292731-encryption/#findComment-1497753 Share on other sites More sharing options...
newuser1978 Posted November 26, 2014 Author Share Posted November 26, 2014 Thanks for your answer but I am learning PHP and MYSQL and need to know where I am going wrong. This is not to be used in a live application and my intention is to build in protection for XSS attacks and mysql injections. I have to start somewhere! I would really appreciate it if anyone can show me where I am going wrong. Thanks Quote Link to comment https://forums.phpfreaks.com/topic/292731-encryption/#findComment-1497754 Share on other sites More sharing options...
Jacques1 Posted November 26, 2014 Share Posted November 26, 2014 I just told you what's wrong and what you need to do. Those blue underlined words are links, you need to click on them. If you have specific questions about the links, feel free to ask. But we can't do the reading for you. Quote Link to comment https://forums.phpfreaks.com/topic/292731-encryption/#findComment-1497755 Share on other sites More sharing options...
newuser1978 Posted November 26, 2014 Author Share Posted November 26, 2014 If you think that is help you are deluded. I will not be using this site again as you are all clearly not nice people. All I wanted was a bit of help! Quote Link to comment https://forums.phpfreaks.com/topic/292731-encryption/#findComment-1497758 Share on other sites More sharing options...
NotionCommotion Posted November 26, 2014 Share Posted November 26, 2014 If you think that is help you are deluded. I will not be using this site again as you are all clearly not nice people. All I wanted was a bit of help! Well, I'm kinda nice. For hashing, I used to use http://www.openwall.com/phpass/, however, now think http://php.net/manual/en/function.password-hash.php is preferred. In regards to Jacques comments about injection, addressing is VERY important. Your current approach can allow someone to easily delete your entire database, or worse. For an easy fix, look into PDO and prepared statements. 1 Quote Link to comment https://forums.phpfreaks.com/topic/292731-encryption/#findComment-1497762 Share on other sites More sharing options...
Jacques1 Posted November 26, 2014 Share Posted November 26, 2014 If you think that is help you are deluded. I will not be using this site again as you are all clearly not nice people. Yeah, good luck finding “help” with that attitude. Quote Link to comment https://forums.phpfreaks.com/topic/292731-encryption/#findComment-1497763 Share on other sites More sharing options...
sasa Posted November 27, 2014 Share Posted November 27, 2014 change $_POST["SHA1('pass')"] to SHA1($_POST['pass']) Quote Link to comment https://forums.phpfreaks.com/topic/292731-encryption/#findComment-1497819 Share on other sites More sharing options...
bsmither Posted November 27, 2014 Share Posted November 27, 2014 This literal string (part of the entire string) is what you will be sending to the database: "VALUES ('first_name','last_name','email', SHA1('pass'), NOW())" The SHA1() and NOW() are real MySQL functions. So, SHA1('pass') will have the MySQL database engine use the string literal pass and make a 160-bit checksum from it. Now, you are wanting to use $_POST['pass'] instead of pass. So, let's try: SHA1('" . $_POST['pass'] . "'), Quote Link to comment https://forums.phpfreaks.com/topic/292731-encryption/#findComment-1497886 Share on other sites More sharing options...
Jacques1 Posted November 27, 2014 Share Posted November 27, 2014 Guys, please. I understand that you all just want to help, but the replies are getting worse and worse. Do you honestly suggest that the OP should drop raw POST values into the query string and use SHA-1 to hash passwords? Have you never heard of things like SQL injections and brute-force attacks? 1 Quote Link to comment https://forums.phpfreaks.com/topic/292731-encryption/#findComment-1497888 Share on other sites More sharing options...
QuickOldCar Posted November 27, 2014 Share Posted November 27, 2014 I agree with Jacques1 100% He gave the perfect response. If someone doesn't want to follow good advice and get offended....is their loss. Quote Link to comment https://forums.phpfreaks.com/topic/292731-encryption/#findComment-1497894 Share on other sites More sharing options...
bsmither Posted November 28, 2014 Share Posted November 28, 2014 Stipulated that there is worth to good advice. Everyone should be glad it was given. But I do not know the whole picture. I have no context, no history. I am not his mother, nor his priest. I cannot determine what he will do with the answer, nor judge him for asking for it. Quote Link to comment https://forums.phpfreaks.com/topic/292731-encryption/#findComment-1497898 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.