artsyL Posted November 26, 2013 Share Posted November 26, 2013 I'm rebuilding a registration system with the model from your book, but I keep coming across articles that say SHA1, SALT, and SHA256 are not very useful anymore. Therefore, I am thinking of using scrypt, or something like it to handle encryption. Is this an overblown issue? If it is a valid concern, do you have any advice on how to implement it with the code from the book? I am using a hosted server, in case that is important for downloading etc. Link to comment Share on other sites More sharing options...
HartleySan Posted November 26, 2013 Share Posted November 26, 2013 It's not an overblown issue. It's something to take very seriously. The short answer to your question is to use bcrypt. Please read the following question and top answer for more information: http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php As the top answer states, if you're using PHP >= 5.5, then you already have bcrypt built-in to PHP. If you're using an older version though, then you need to go to the GitHub link and download the password.php file in the lib directory, and include that file into your script. 1 Link to comment Share on other sites More sharing options...
artsyL Posted December 12, 2013 Author Share Posted December 12, 2013 I'm not sure what I'm missing, but the bcrypt code I have been using is generating a blank page, though I have tested for syntax errors and firebug says there are no errors. The php on the server is definitely set to php 5.5.; The db is set to varchar (60); Here is the only code I have changed. I added this: //password hash function $hash = password_hash($pw, PASSWORD_BCRYPT); if (password_verify($pw, $hash)) { // password valid! } else { // wrong password echo "wrong password"; } and I changed $pw: $q = 'INSERT INTO users (fn, ln, username, email, pw) VALUES (?, ?, ?, ?, ?)'; $stmt = mysqli_prepare($dbc, $q); mysqli_stmt_bind_param($stmt, 'ssssss', $fn, $ln, $username, $email, $pw); mysqli_stmt_execute($stmt); to $hash: $q = 'INSERT INTO users (fn, ln, username, email, pw) VALUES (?, ?, ?, ?, ?)'; $stmt = mysqli_prepare($dbc, $q); mysqli_stmt_bind_param($stmt, 'ssssss', $fn, $ln, $username, $email, $hash); mysqli_stmt_execute($stmt); Link to comment Share on other sites More sharing options...
Antonio Conte Posted December 12, 2013 Share Posted December 12, 2013 Try putting these in the top of your script: ini_set('display_errors', true); ini_set('error_reporting', -1); They might reveal some errors that are currently supressed/silenced on your end. 1 Link to comment Share on other sites More sharing options...
artsyL Posted December 12, 2013 Author Share Posted December 12, 2013 Thanks! The error was "Call to undefined function password_hash()." I had to call the hosting service to find out why it was reverting to 5.4. Link to comment Share on other sites More sharing options...
HartleySan Posted December 12, 2013 Share Posted December 12, 2013 Like I said before, just include the password.php file available on GitHub, and you're good. Your hosting company may have reverted because I don't think that 5.5 is a stable release yet (but could be wrong). Link to comment Share on other sites More sharing options...
Recommended Posts