sendy Posted March 10, 2013 Share Posted March 10, 2013 I just read about hash_hmac() function in this book, it says something about that hash_hmac() function return a string that would potentially breaks the queryso i tried to use it for storing password in DB , by using PDO <?php $dsn = 'mysql:host=localhost;dbname=test'; $username = 'root'; $pass = 'password'; $conn = new PDO($dsn, $username, $pass); $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $conn->setAttribute(PDO::ATTR_PERSISTENT, TRUE); $password = '123MonyeTSahuR456'; $p addslashes(hash_hmac('sha256',$password,'13#slP3mK;"dA$@m',TRUE)); $query = "INSERT INTO table_one VALUES(NULL, :password)"; try { $pdo = $conn->prepare($query); $pdo->bindValue(':password', $p); if($pdo->execute()) { echo $pdo->rowCount(); } else { echo 'fail'; } } catch(PDOException $e) { echo $e->getMessage(); } **the DB details:** id INT NOT NULL AUTO INCREMENT password VARBINARY(32) NOT NULL after that i manually check my DB and found a row with BLOB(i never work/use with VARBINARY or BLOB data type before, so this is my first time)so there's 1 row exist and i try to select the row : $query = "SELECT * FROM table_one WHERE password = :password"; the value returned by pdo->rowCount() is 0 , it doesn't find the password im looking for.but when i use it without addslashes(), it works, why is this happen?**another details :**PHP version : 5.4OS : Ubuntu 12.04 64 bitthanksEDIT:Sry my bad.. i just remember that PDO will escaped the query if using prepared statements..btw i just tried using PDO::bindValue with PDO::PARAM_LOB and it works even with addslashes function, can anyone explain? Link to comment Share on other sites More sharing options...
Edward Posted March 11, 2013 Share Posted March 11, 2013 I would change the database password variable type from Varbinary to Char, this generally works better. If you use Varbinary it needs to be 64. For Char if I recall correctly 64 characters also for sha256 just run the hash_mac in a print_f and then count the number of characters. Link to comment Share on other sites More sharing options...
sendy Posted March 12, 2013 Author Share Posted March 12, 2013 erm actually i did fix that by removing the addslashes() function (yes i forgot that pdo will use prepared statements) and its good without PDO::PARAM_LOB. i think varbinary(32) is right since i have tested it by registering and login using 3 different passwords.. but correct me if im wrong since im still newbie Link to comment Share on other sites More sharing options...
Larry Posted March 13, 2013 Share Posted March 13, 2013 If it works, then VARBINARY(32) is correct. I believe SHA256 puts out a string that's 64 characters long, which would require 32bits as a binary. Link to comment Share on other sites More sharing options...
Recommended Posts