How to use sha256 in php5.3.0
https://stackoverflow.com/questions/1752477
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm using sha256 to encrypt the password. I can save the sha256 encrypted password in mysql. But i can't login with the same clause.
Insert code:
<?php
error_reporting(E_ALL ^ E_NOTICE);
$username = $_POST['uusername'];
$passcode = $_POST['ppasscode'];
$userflag = $_POST['uuserflag'];
//$passcodeen = hash('sha256',$passcode);
$passcodeen = hash('sha256', (get_magic_quotes_gpc() ? stripslashes($ppasscode) : $ppasscode));
$conn = mysql_connect("localhost","charles","charles") or die("connection failed with DB:".mysql_error());
mysql_select_db("sessiondb");
$query = "INSERT INTO users(username,passcode,userflag) values('$username','$passcodeen','$userflag')";
Select code:
<?php
error_reporting(E_ALL ^ E_NOTICE);
@mysql_connect("localhost","charles","charles") or die("Connection failed".mysql_error());
@mysql_select_db("sessiondb") or die("Database doesn't exist".mysql_error());
//get user input
$username = $_POST['username'];
$ppasscode = $_POST['ppasscode'];
//$passcodeen = hash('sha256', $ppasscode);
$passcodeen = hash('sha256', (get_magic_quotes_gpc() ? stripslashes($ppasscode) : $ppasscode));
//get session value from mysql
$query = @mysql_query("select username, userflag from users where username ='$username' and passcode = '$passcodeen'") or die("Query execution failed".mysql_error());
Is there something wrong? I'm very confused. Thanks.
Solution
Could this be a typo? (two Ps in ppasscode, intended?)
$_POST['ppasscode'];
I would make sure and do:
print_r($_POST);
and make sure the data is accurate there, and then echo out what it should look like:
echo hash('sha256', $_POST['ppasscode']);
Compare this output to what you have in the database (manually). By doing this you're exploring your possible points of failure:
- Getting password from form
- hashing the password
- stored password
- comparison of the two.
OTHER TIPS
First of all, sha256 is a hashing algorithm, not a type of encryption. An encryption would require having a way to decrypt the information back to its original value (collisions aside).
Looking at your code, it seems it should work if you are providing the correct parameter.
Try using a literal string in your code first, and verify its validity instead of using the
$_POST[]variableTry moving the comparison from the database query to the code (get the hash for the given user and compare to the hash you have just calculated)
But most importantly before deploying this in any kind of public fashion, please remember to sanitize your inputs. Don't allow arbitrary SQL to be insert into the queries. The best idea here would be to use parameterized queries.
You should use Adaptive hashing like http://en.wikipedia.org/wiki/Bcrypt for securing passwords
The first thing is to make a comparison of functions of SHA and opt for the safest algorithm that supports your programming language (PHP).
Then you can chew the official documentation to implement the hash() function that receives as argument the hashing algorithm you have chosen and the raw password.
sha256 => 64 bits
sha384 => 96 bits
sha512 => 128 bits
The more secure the hashing algorithm is, the higher the cost in terms of hashing and time to recover the original value from the server side.
$hashedPassword = hash('sha256', $password);
A way better solution is to just use the excelent compatibility script from Anthony Ferrara:
https://github.com/ircmaxell/password_compat
Please, and also, when checking the password, always add a way (preferibly async, so it doesn't impact the check process for timming attacks) to update the hash if needed.
