Member Avatar for RudyM

Hi All,

I tried reading through this: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet . But I'd like to know if the following scenario is considered good practice for a simple login/registration system.

The userlist table:

create table simp 
(
    USR VARCHAR (128),
    PWD varchar (512),
    SALT VARCHAR(512)
)

I created a stored procedure to execute for inserting new data into userlist table instead of direct insert queries.

CREATE PROCEDURE INSERTUSER
    -- Add the parameters for the stored procedure here
    @usr varchar(512),
    @pwd varchar(512)
AS
BEGIN
    -- SET NOCOUNT ON added to prevent extra result sets from
    -- interfering with SELECT statements.
    SET NOCOUNT ON;

    --Create salt for appending to password. Hashing the getdate() value to make it unique per user creation.                               
    DECLARE @SALT VARCHAR(512) = upper(sys.fn_varbintohexsubstring(0, HASHBYTES('SHA2_512', CONVERT(VARCHAR, getdate())),1,0))

    --Insert the username, (password + salt), salt.
    INSERT INTO SIMP (USR, PWD, SALT) VALUES (@USR, @PWD + @SALT, @SALT);

    RETURN 1;
END
GO

In PHP, I'd execute a query like (I will clean this up to use sqlsrv_prepare and use parameters, but for simplicity):
"select PWD, SALT from simp where usr = '$_POST['usr']'";

And with the return values in the login PHP page, do something like:
if(strtoupper(hash('SHA512','asdfd') . $obj->SALT) === $obj->PWD)

Member Avatar for RudyM

The line I included: if(strtoupper(hash('SHA512','asdfd') . $obj->SALT) === $obj->PWD) should really read: if(strtoupper(hash('SHA512',$_POST['pwd']) . $obj->SALT) === $obj->PWD)

Member Avatar for RudyM

@diafol, thanks. I'll be checking this out and testing before marking this as solved. Thanks again.

Member Avatar for RudyM

So I ended up storing the hash value from password_hash() in my db table. Then I query for the password hash by executing a stored procedure that will return the hash value from the table, and compare this to the input password using password_verify(). It works. Good practice?

I'll mark this as solved.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.