Jump to content
Larry Ullman's Book Forums

Encryption For Registration, Database Storage Etc.


Recommended Posts

I'm rebuilding a registration system with the model from your book, but I keep coming across articles that say SHA1, SALT, and SHA256 are not very useful anymore. Therefore, I am thinking of using scrypt, or something like it to handle encryption. Is this an overblown issue? If it is a valid concern, do you have any advice on how to implement it with the code from the book? I am using a hosted server, in case that is important for downloading etc.

Link to comment
Share on other sites

It's not an overblown issue. It's something to take very seriously.

 

The short answer to your question is to use bcrypt. Please read the following question and top answer for more information:

http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php

 

As the top answer states, if you're using PHP >= 5.5, then you already have bcrypt built-in to PHP. If you're using an older version though, then you need to go to the GitHub link and download the password.php file in the lib directory, and include that file into your script.

  • Upvote 1
Link to comment
Share on other sites

  • 3 weeks later...

I'm not sure what I'm missing, but the bcrypt code I have been using is generating a blank page, though I have tested for syntax errors and firebug says there are no errors.

 

The php on the server is definitely set to php 5.5.; The db is set to varchar (60);

 

Here is the only code I have changed.

I added this:

//password hash function
	$hash = password_hash($pw, PASSWORD_BCRYPT);
	if (password_verify($pw, $hash)) {
    // password valid!
	} else {
		// wrong password 
		echo "wrong password";
	}

and I changed $pw:

$q = 'INSERT INTO users (fn, ln, username, email, pw) VALUES (?, ?, ?, ?, ?)';
			$stmt = mysqli_prepare($dbc, $q);
			mysqli_stmt_bind_param($stmt, 'ssssss', $fn, $ln, $username, $email, $pw);
			mysqli_stmt_execute($stmt);

to $hash:

$q = 'INSERT INTO users (fn, ln, username, email, pw) VALUES (?, ?, ?, ?, ?)';
			$stmt = mysqli_prepare($dbc, $q);
			mysqli_stmt_bind_param($stmt, 'ssssss', $fn, $ln, $username, $email, $hash);
			mysqli_stmt_execute($stmt);
Link to comment
Share on other sites

 Share

×
×
  • Create New...