Jump to content
Larry Ullman's Book Forums
Sign in to follow this  
artsyL

Encryption For Registration, Database Storage Etc.

Recommended Posts

I'm rebuilding a registration system with the model from your book, but I keep coming across articles that say SHA1, SALT, and SHA256 are not very useful anymore. Therefore, I am thinking of using scrypt, or something like it to handle encryption. Is this an overblown issue? If it is a valid concern, do you have any advice on how to implement it with the code from the book? I am using a hosted server, in case that is important for downloading etc.

Share this post


Link to post
Share on other sites

It's not an overblown issue. It's something to take very seriously.

 

The short answer to your question is to use bcrypt. Please read the following question and top answer for more information:

http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php

 

As the top answer states, if you're using PHP >= 5.5, then you already have bcrypt built-in to PHP. If you're using an older version though, then you need to go to the GitHub link and download the password.php file in the lib directory, and include that file into your script.

  • Upvote 1

Share this post


Link to post
Share on other sites

I'm not sure what I'm missing, but the bcrypt code I have been using is generating a blank page, though I have tested for syntax errors and firebug says there are no errors.

 

The php on the server is definitely set to php 5.5.; The db is set to varchar (60);

 

Here is the only code I have changed.

I added this:

//password hash function
	$hash = password_hash($pw, PASSWORD_BCRYPT);
	if (password_verify($pw, $hash)) {
    // password valid!
	} else {
		// wrong password 
		echo "wrong password";
	}

and I changed $pw:

$q = 'INSERT INTO users (fn, ln, username, email, pw) VALUES (?, ?, ?, ?, ?)';
			$stmt = mysqli_prepare($dbc, $q);
			mysqli_stmt_bind_param($stmt, 'ssssss', $fn, $ln, $username, $email, $pw);
			mysqli_stmt_execute($stmt);

to $hash:

$q = 'INSERT INTO users (fn, ln, username, email, pw) VALUES (?, ?, ?, ?, ?)';
			$stmt = mysqli_prepare($dbc, $q);
			mysqli_stmt_bind_param($stmt, 'ssssss', $fn, $ln, $username, $email, $hash);
			mysqli_stmt_execute($stmt);

Share this post


Link to post
Share on other sites

Like I said before, just include the password.php file available on GitHub, and you're good.

Your hosting company may have reverted because I don't think that 5.5 is a stable release yet (but could be wrong).

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...