Can you explain to me?

[sigmahokies]

I am trying to create the login system, I notice "hash" in mysqli_real_escape_string(hash("sha512", $_POST['password']));

 

Can anyone explain what "hash" use for in php?

 

Thank you in advance time

 

Gary

[maxxd]

http://php.net/manual/en/function.hash.php

 

For login purposes, update and use password_hash() and password_verify()

[sigmahokies]

I read this before, but i'm not understand what it does. can you please explain to me?

 

Thanks

[hansford]

This will make it more clear to you. http://php.net/manual/en/faq.passwords.php

[sigmahokies]

I think I get it clear, but i need to make sure...Is it good for prevent to store password in any web browser and application?

Edited September 14, 2015 by sigmahokies

[maxxd]

Not quite sure what you're asking, but passwords should only be stored in a database after encryption. You pull the password from the database, compare it to the password provided by the user, then let it go. Don't store it in $_SESSION or $_COOKIE or anywhere else.

[ginerjm]

To give you the details.

 

1 - get a user id and password from the user

2 - encrypt the password and save the userid and the encrypted password in the users table.

 

When checking a user's login attempt:

1 - get the user's id and password entries

2 - encrypt the password value the exact same way as you did when you stored it

3 - do a query on the table to get the record that matches both the user id and the encrypted password entry

4 - if the query returns exactly 1 record - the user logged in correctly. If not - send them back to login again.

 

As said by Maxxd - you don't return the password in the query, nor do you get it and save it anywhere. The password is not needed once you verify that it was provided correctly. If you need to remember that a user is logged in you create a token that indicates that to your application, such as a $_SESSION var or a cookie but in no way do you store sensitive information in either place.

[Psycho]

A few responses are referring to "encryption" above. Hashing is not encryption, but it is routinely called that. Since you are specifically asking what hashing is, I think it is important to differentiate the two.

 

Encryption is used when you need to securely store a value which you will need in its original state in the future. For example, if you allow the user to store thier credit card number for the purpose of easy check outs in the future, you would need to encrypt it. Other data such as SSNs, birth dates and other PII data should be encrypted as well (assuming it shoudl even be something to be stored). With encryption, there is a key or some method to decrypt the value back to its original state.

 

Hashing is used to verify that some value is the same as some other previous value. hashes cannot be decrypted back to their original values. Two specific uses for hashes are for password and file verification. When a user creates a password, the hashes values should be stored - not the actual password. Then, when logging in, the user submits their password and the value will be hashed in the same manner in which is was when stored. Those hashed values are then compared to see if the user entered the correct password. Passwords should be hashed because people use the same passwords on different sites. If the database is compromised, the malicious user already has all the data. But, we want to prevent them from getting the original password. Hashes are also used for file verification. If an install file for some shareware app is made available for download from many sites, you want to be careful to ensure you are getting the "real" file and not one that has been modified with malicious code. The author may provide a hash value of their file. Then when you download the file from an alternative site you can run a hash on it to ensure it returns the same hash and has not been modified.

 

Hashing is also referred to one-way encryption because, ideally, you should not be able to decrypt it since it is used for comparing two value. But, you may hear about being able to decrypt hashes via rainbow tables. It is not really decrypting. A rainbow table is the process of generating hashes for MANY different values (typically a dictionary list). If I hash the word "password", it will be the same hash every time (assuming no additional processes are used). So, if a programmer just used a simple hashing method, I could create hashes for common words that are used as passwords and find the users that are using those words since they would have the same hash.

 

But, a hash should not be used on its own. When hashing a value a 'salt' should be used to ensure the hash is unique for that user/record. For example, if you were to concatenate the user's password and the timestamp of when they registered before hashing you would have to create a rainbow table specific for each user. The password_hash() function specified above has this built in.

[sigmahokies]

Ummm...interesting your explain, Guru.

 

Thank you so much!