Jump to content
Larry Ullman's Book Forums

Php Pdo Query Doesn'T Work With Hash_Hmac()


Recommended Posts

I just read about hash_hmac() function in this book, it says something about that hash_hmac() function return a string that would potentially breaks the query


so i tried to use it for storing password in DB , by using PDO
 

 

<?php
    $dsn = 'mysql:host=localhost;dbname=test';
    $username = 'root';    
    $pass = 'password';
    $conn = new PDO($dsn, $username, $pass);

    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);         
    $conn->setAttribute(PDO::ATTR_PERSISTENT, TRUE);
    $password = '123MonyeTSahuR456';            
    
$p addslashes(hash_hmac('sha256',$password,'13#slP3mK;"dA$@m',TRUE));                
$query = "INSERT INTO table_one VALUES(NULL, :password)";        
try    
{
        $pdo = $conn->prepare($query);        
        $pdo->bindValue(':password', $p);
        if($pdo->execute())        
        {            
            echo $pdo->rowCount();        
        }        
        else        
        {            
            echo 'fail';
        }
}    
catch(PDOException $e)    
{        
         echo $e->getMessage();    
}
 

 

 



 

**the DB details:**

id INT NOT NULL AUTO INCREMENT    password VARBINARY(32) NOT NULL



after that i manually check my DB and found a row with BLOB(i never work/use with VARBINARY or BLOB data type before, so this is my first time)

so there's 1 row exist and i try to select the row :
 

$query = "SELECT * FROM table_one WHERE password = :password";



the value returned by pdo->rowCount() is 0 , it doesn't find the password im looking for.

but when i use it without addslashes(), it works, why is this happen?

**another details :**

PHP version : 5.4

OS : Ubuntu 12.04 64 bit
thanks

EDIT:

Sry my bad.. i just remember that PDO will escaped the query if using prepared statements..
btw i just tried using PDO::bindValue with PDO::PARAM_LOB and it works even with addslashes function, can anyone explain?

Link to comment
Share on other sites

I would change the database password variable type from Varbinary to Char, this generally works better. If you use Varbinary it needs to be 64. For Char if I recall correctly 64 characters also for sha256 just run the hash_mac in a print_f and then count the number of characters.

Link to comment
Share on other sites

erm actually i did fix that by removing the addslashes() function (yes i forgot that pdo will use prepared statements) and its good without PDO::PARAM_LOB.

 

i think varbinary(32) is right since i have tested it by registering and login using 3 different passwords..

 

but correct me if im wrong since im still newbie

Link to comment
Share on other sites

 Share

×
×
  • Create New...