How do I hash SHA2 on $_POST?

StackOverflow https://stackoverflow.com/questions/23264343

  •  08-07-2023
  •  | 
  •  

Question

I am trying to encrypt my 'password' column with SHA2. The problem is that the injection to MYSQL is through a $_POST variable, so I don't understand where i should put the SHA2().

Here is my 'insert' page (inscreate.php):

  <?php
    include 'header.php';
    $ins="INSERT INTO users (uname, pwrd, bdate, mail)
        VALUES ('$_POST[uname]','$_POST[pwrd]','$_POST[bdate]','$_POST[mail]')";
if (!mysqli_query($con,$ins))
      {
      die('Error: ' . mysqli_error($con));
      }
    echo "User added! You will be returned to the index page!";

    mysqli_close($con);
    ?>

From what I have read I have to put it in the 'value' section of my insert query: http://coderlearner.com/MySQL_Encryption-Decryption_Example_SHA2

So I tried these combinations:

$ins="INSERT INTO users (uname, pwrd, bdate, mail)
            VALUES ('$_POST[uname]','SHA2($_POST[pwrd])','$_POST[bdate]','$_POST[mail]')";

but then if the password was for example: mypass, the output in my database was this: SHA2(mypass)

I tried this:

$ins="INSERT INTO users (uname, pwrd, bdate, mail)
    VALUES ('$_POST[uname]',$_POST[SHA2(pwrd)]','$_POST[bdate]','$_POST[mail]')";

But then I get a Parse error(which I understand why, but still I was just trying) So my question is: Does anyone know how I encrypt a $_POST??

Was it helpful?

Solution

Look at the examples again.

mysql> INSERT INTO userpassword(id, username,password)
    -> VALUES(null,'Lili',SHA2('mypassword1',256));

The quotes go around the string. The SHA2() function call goes around the quotes.

Also SHA2() takes two arguments.

'SHA2($_POST[pwrd])'

should be:

SHA2('$_POST[pwrd]', 256)

… but don't stick the POST data directly into your SQL. It makes you vulnerable to SQL injection attacks that you need to defend yourself from.

OTHER TIPS

The SHA* hash functions are not appropriate for passwords because they are ways too fast. Another problem in your example is, that you are generating unsalted hashes. Have a look at the PHP function password_hash(), it will generate a BCrypt hash and takes care of the generation of a safe salt. There exist also a compatibility pack for older PHP versions.

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

This also means that you cannot verify the password directly within the SQL statement, instead read the hash from the database (by username), then call password_verify() with this hash.

Use SHA2('$_POST[pwrd]',256) insted of 'SHA2($_POST[pwrd])'

$ins="INSERT INTO users (uname, pwrd, bdate, mail)
       VALUES 
('$_POST[uname]',SHA2('$_POST[pwrd]',256),'$_POST[bdate]','$_POST[mail]')";
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top