Demonic Posted November 6, 2007 Share Posted November 6, 2007 Someone told me created a random hash and storing it in the database isn't good practice/insecure then what is? Quote Link to comment Share on other sites More sharing options...
JasonLewis Posted November 6, 2007 Share Posted November 6, 2007 how do you mean? like running an md5() on a password then storing it in a database? Quote Link to comment Share on other sites More sharing options...
sford999 Posted November 6, 2007 Share Posted November 6, 2007 <?php function generate_passhash($salt, $md5_password) { return md5(md5($salt).$md5_password); } function generate_salt($length=5) { $salt = ''; srand((double)microtime() * 1000000); for ($i=0;$i<$length;$i++) { $number = rand(33, 126); if ($number == '92') { $number = 93; } $salt .= chr($number); } return $salt; } ?> To use it you can do: <?php $salt = generate_salt($length=5); $md5_password = md5($_POST['password']); $hashed_password = generate_passhash($salt, $md5_password); ?> You would put both the salt and hashed_password into the database. When a user logs in, you have to grab their $salt from the database and do like the function does above: $pass = md5(md5($row['salt']).$md5_password); then do an if else eg: <?php $password = strip_tags($_POST['password']); $md5_password = md5($password); $sql = "SELECT * FROM table WHERE username = '$username'"; $result = mysql_query($sql) or die(mysql_error()); $row = mysql_fetch_array($result); $pass = md5(md5($row['salt']).$md5_password); if($pass == $row['password']) { // Log the user in } else { // Wrong password } ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.