I have a PHP login script with salt in the database, but in my register script I see:
$qry = "INSERT INTO accounts(username, firstname, lastname, password) " . VALUES('$username','$fname','$lname','" . md5($_POST['password']) . "')";
and to enter:
$qry="SELECT * FROM accounts WHERE username='$username' AND password='" . md5($_POST['password']) . "'";
Is there any code that can replace MD5? Is something safer?
I heard about SHA1 or something like that.
Short answer
Use bcryptnot md5orsha1
bcrypt
md5
sha1
Longer answer
Using is crypt()difficult. In PHP version 5.5 there is a new hashing PHP API, you can read about it here:
crypt()
https://gist.github.com/nikic/3707231
bcrypt . , php 5.5 , API :
https://github.com/ircmaxell/password_compat
: :
bcrypt PHP?
@jszbody , , .
MD5, "BAC232BC1334DE" - .
SHA - , : "SHA: YOURSHAHASHHERE".
- . , .
, , .
, . , MD5 . (.. ), MD5 SHA.
, , . , , "ilovekittens" , Big Jake Mahoney "ilovekittens" , .
: "SHA: RANDOMSALTCHARACTERS: YOURSALTEDHASHHERE".
. Unsalted, , .
:
<?php class PassHash { // blowfish private static $algo = '$2a'; // cost parameter private static $cost = '$31'; // mainly for internal use public static function unique_salt() { return substr(sha1(mt_rand()),0,22); } // this will be used to generate a hash public static function hash($password) { return crypt($password, self::$algo . self::$cost . '$' . self::unique_salt()); } // this will be used to compare a password against a hash public static function check_password($hash, $password) { $full_salt = substr($hash, 0, 29); $new_hash = crypt($password, $full_salt); return ($hash == $new_hash); } } ?>
include_once('passhash.class.php');
PassHash::hash("test");
if (PassHash::check_password($databasepassword, $formpassword)){ // do stuff }
Blowfish. Blowfish goto PHP.net/crypt
Blowfish , . MD5 SHA1 !