Jump to content

Encryption


newuser1978

Recommended Posts

Hi Guys

 

I am fairly new to php, I am trying to build a registration form but I am struggling with encrypting the password (I will also be salting the password at a later stage to make it more secure).

 

The below line of code encrypts the password but saves the values as the values states in the code e.g password saves as 'pass'

 

$q = "INSERT INTO users (first_name,last_name,email,pass,registration_date) VALUES ('first_name','last_name','email', SHA1('pass'), NOW())";

 

The below code saves all the values that the user inputs xcept the password which is blank and the message 'Undefined index: SHA1('pass')' is returned

 

$q = "INSERT INTO users (first_name,last_name,email,pass,registration_date) VALUES ('".$_POST["first_name"]."','".$_POST["last_name"]."','".$_POST["email"]."','".$_POST["SHA1('pass')"]."', NOW())";

 

I am hoping someone may be able to help me as I have no idea how to fix this. Thank you in advance

Link to comment
Share on other sites

SHA-1 is awful for hashing passwords. Even an old graphics card can calculate around 3 billion(!) SHA-1 hashes per second, so finding out the passwords of your users is trivial.

 

And, no, “salting” doesn't help. Whoever told you that SHA-1 is an acceptable password hash algorithm either doesn't know what he's doing or lied to you on purpose.

 

Your code is also wide open to SQL injections, because you happily dump the user input into the query string, allowing anybody to write their own queries. Never heard of Little Bobby Tables?

 

So you have quite a lot of work ahead of you. The first thing you should do is avoid crap resources and stick to professional programmers who actually know PHP. For example, Padraic Brady is a well-known security expert. See also this thread about password hashes.

Link to comment
Share on other sites

SHA-1 is awful for hashing passwords. Even an old graphics card can calculate around 3 billion(!) SHA-1 hashes per second, so finding out the passwords of your users is trivial.

 

And, no, “salting” doesn't help. Whoever told you that SHA-1 is an acceptable password hash algorithm either doesn't know what he's doing or lied to you on purpose.

 

Your code is also wide open to SQL injections, because you happily dump the user input into the query string, allowing anybody to write their own queries. Never heard of Little Bobby Tables?

 

So you have quite a lot of work ahead of you. The first thing you should do is avoid crap resources and stick to professional programmers who actually know PHP. For example, Padraic Brady is a well-known security expert. See also this thread about password hashes.

 

Ha ha,  I saw the original post, and new you couldn't resist! :)

Link to comment
Share on other sites

Thanks for your answer but I am learning PHP and MYSQL and need to know where I am going wrong. This is not to be used in a live application and my intention is to build in protection for XSS attacks and mysql injections. I have to start somewhere!

 

I would really appreciate it if anyone can show me where I am going wrong.

 

Thanks

Link to comment
Share on other sites

If you think that is help you are deluded. I will not be using this site again as you are all clearly not nice people. All I wanted was a bit of help!

 

Well, I'm kinda nice.

 

For hashing, I used to use http://www.openwall.com/phpass/, however, now think http://php.net/manual/en/function.password-hash.php is preferred.

 

In regards to Jacques comments about injection, addressing is VERY important.  Your current approach can allow someone to easily delete your entire database, or worse.  For an easy fix, look into PDO and prepared statements.

 

 

  • Like 1
Link to comment
Share on other sites

This literal string (part of the entire string) is what you will be sending to the database:

"VALUES ('first_name','last_name','email', SHA1('pass'), NOW())"

 

The SHA1() and NOW() are real MySQL functions. So, SHA1('pass') will have the MySQL database engine use the string literal pass and make a 160-bit checksum from it.

 

Now, you are wanting to use $_POST['pass'] instead of pass. So, let's try:

SHA1('" . $_POST['pass'] . "'),

Link to comment
Share on other sites

Guys, please.

 

I understand that you all just want to help, but the replies are getting worse and worse. Do you honestly suggest that the OP should drop raw POST values into the query string and use SHA-1 to hash passwords? Have you never heard of things like SQL injections and brute-force attacks?

  • Like 1
Link to comment
Share on other sites

Stipulated that there is worth to good advice. Everyone should be glad it was given.

 

But I do not know the whole picture. I have no context, no history. I am not his mother, nor his priest.

 

I cannot determine what he will do with the answer, nor judge him for asking for it.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.