Sha256 encryption

[x34cha]

I need help understanding this code,

The function

private function getHash($string, $version=0, $pepper='') {
switch($version) {
case 0:
return hash('sha256', $string.$this->salt);
break;
case 1:
return '$' . $version . '$' . $pepper . '$' . hash('sha256', $string.$this->salt.$pepper);
break;
}

code

$password_hash = $this->getHash($password1, HASH_VERSION, bin2hex(openssl_random_pseudo_bytes(32)));

How is it hashing my passwords?

 

 I want to know if it is adding a salt to the end of the password and then just sha256ing that? or will the end output be a hash:salt format?

 

Is that what you can see from the code? also what does this mean $this->salt, where is it getting salt from?

[requinix]

To be clear, SHA256 is not encryption. Encryption is reversible. SHA256 is a hashing algorithm. Hashes are not reversible.

 

Yes, for version 0 it is hashing the string + a salt. The output is the hash and only the hash - not hash+salt (or the more common salt+hash which may be what you meant).

For version 1 it returns the version + pepper + the hash of the string+salt+pepper, with some $s mixed in. It emulates crypt output without the benefit of how crypt() works. Which supports SHA256 itself, by the way.

 

$this->salt means the "salt" property on the current object. It's part of object-oriented programming in PHP. The salt was set somewhere else.

[NotionCommotion]

Might wish to consider http://php.net/manual/en/function.password-hash.php instead.

[scootstah]

Might wish to consider http://php.net/manual/en/function.password-hash.php instead.

This. There's absolutely no reason to try to do this yourself these days. If you can't use PHP 5.5 then use ircmaxell's backwards compatibility library.