0
    if(isset($_POST['add_user'])){
        $passw = trim(htmlentities($_POST['password']));

        $encrypted = enc_salt($passw);

        $con = "true";
            $sql = "SELECT * FROM users WHERE username='".$_POST['user_name']."'";
            $result = $database->query($sql);
            $row = $database->fetch_array($result);

            if($row!=""){
                $con="false";
            }

        if($con!="false"){  
         $sql  = "INSERT INTO photo_gallery.users (username, password, first_name, last_name)";
        $sql .= " VALUES ('".trim(htmlentities($_POST['user_name']))."','".$encrypted."', '".trim(htmlentities($_POST['first_name']))."', '".trim(htmlentities($_POST['last_name']))."')";

        $result_set = $database->query($sql);

        echo '<script type="text/javascript">alert("Account Created!");</script>';}
        else{
            echo '<script type="text/javascript">alert("This username already exist!");</script>';
        }
    }

i already had this code in adding users
and my function enc_salt is:

function enc_salt($string){
    //encrypting
    $pass_word = sha1($string);
    $salt = md5("user");
    $pepper = "cxlkdawpoalsk";

    $pass_encrypted = $salt.$pass_word.$pepper;
    return $pass_encrypted;
}

my problem right now is the time when logging in.

2
Contributors
1
Reply
11
Views
5 Years
Discussion Span
Last Post by ryantroop
1

If you're going to be salting the password, salt it using a stored global in .htaccess
http://www.besthostratings.com/articles/php-variables-htaccess.html

Or from an include that is stored above http access.

This makes a private salt that can only be accesed with root FTP access.

On top of that, your added "pepper" should be unique for each user, and stored in the database with the login info.

md5 is "useless", sha1 is better, sha256 is there, you might as well use it. (heck, there is even better....)

The real way to totally hash out a password is to do it multiple times, using the new hash created + salt + pepper each time... so, lets say I make my private "salt" as a gloabl var $_SALT

function enc($usr, $pw) {   //take in username and password
 $pass = hash("sha256", $pw.$_SALT);    //make initial hash, using our "secret" salt
 $pepper = hash("sha1", $usr);  //make a "pepper" based on the username (or email)
 for(i=0;i=10;i++){
  $pass = hash("sha256", $pass.$_SALT.$pepper); //10 times, we will hash the string with our current pass value, salt, and pepper.
 }

 return $pass.' '.$pepper;  //our function will return a 64 character hashed password, a blank space, and a 40 character hashed public "pepper"
}

From there, we can explode our two values:

$password_object = enc($username, $password);
list($pw_to_store, $pepper_to_store) = explode(" ", $password_object);

You will now have $pw_to_store containing our 64 character hashed password, $pepper_to_store containing our 40 character hashed "pepper", and our salt remains a "secret" only to us.

It is rediculously unlikely you will ever get "hacked" and have this cracked, but anything is possible. This may also be super overkill for what you need.

When a user is logging in, you basically run your encryption test against the password.

so, you basically run the same function, and check the returned value against what is stored in the database. If they don't match, the wrong password or username was entered.

Just remember, that you cannot restore a hashed password, you have to overwrite it.

In your database, you should use char(64) for sha256 and char(40) for sha1. varchar is a poor choice. For an even further added layer of protection, you can have your database encrypt the value as well, but that's tougher to check against when running a password check. The above should be more than suitable.

You could also consider storing the function off the main page, by making it an include with other sensitive information like database username/password information, and storing that in a directory above your default http access.

Note: this really only protects against an SQL dump. If someone gains full access to your code, or ftp access, they can find the $_SALT by simply writing echo "$_SALT", which is why a unique "pepper" is required for each user as well. That way, even if they know the encryption type, and all the other variables, they can still only attack 1 password at a time, and will take months if not years to simply crack 1 password.

Now.. that I've put that all out there.. lets see who wants to improve on my design :) Im sure there are many opinions on this.

Ryan

Votes + Comments
Nice post, I hope it will fire more discussion
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.