I want to ask how to save a user's password to the database? I've done it but the result is saved to the database is not the same as the password was entered. and password that instead turned into a strange code that long. even though I've been using the action 'md5'. correction please what is wrong with my syntax controllers.thanks before
function add(){
$data['title']="Add user";
$this->_set_rules();
if($this->form_validation->run()==true){
$kode=$this->input->post('username');
$cek=$this->m_user->cek($kode);
if($cek->num_rows()>0){
$data['message']="<div class='alert alert-danger'>Username is already in use/div>";
$this->template->display('admin/adduser',$data);
}else{
$info=array(
'name'=>$this->input->post('name'),
'addres'=>$this->input->post('addres'),
'dateofbirth'=>$this->input->post('dateof birth'),
'email'=>$this->input->post('email'),
'username'=>$this->input->post('user'),
'password'=>md5($this->input->post('password')),
'level'=>$this->input->post('level')
);
$this->m_user->save($info);
redirect('admin/user/add_success');
}
}else{
$data['message']="";
$this->template->display('admin/adduser',$data);
}
}
md5 is a hashing algorithm which is hashing your password to the string of 32 char length.
that string is the hash of the password you entered.
for ex if your password is abcd then md5(password) will be d41d8cd98f00b204e9800998ecf8427e.
remove that md5() to see your password
If you are applying md5 to the input you have received via form post that means you want to encrypt your password in a secured format. md5() basically applies an encryption to generate a 32 character long text that is secure and not possible to decrypt.
Also this considered a good practice to follow this strategy but you need to be little bit careful before applying the same subject to your requirement and data.
Also if you don't want to apply this encryption then simply omit this method before the post variable:
Before: 'password'=>md5($this->input->post('password')),//Gives encrypted 32 char long text
After : 'password'=>($this->input->post('password'), //Gives plain text
Related
I have this code:
$password = vancab123;
password_hash(base64_encode( hash('sha512',$password, true) ), PASSWORD_DEFAULT );
Database stored value:
$password = $2y$10$jUa8ZEFBX5lfsBmySUnJFeSSyKwQ1v/emazJZPh8MwJ0g0lLbmjYC;
My Problem:
I used that on "remember me" function. If the user used that function his/her credentials (email and password) will be saved for 7 days using cookie.
My problem is because the email and password will automatically fill up the email and password text boxes, the password text box characters is too long because it was hashed.
How can I match the length of the hashed password to the original/unhashed password?
And you dont need to jump through all those hoops to use password_hash and this is how to check that an entered password matches the previously hashed password
The point of a HASH is it cannot (within a sensable time frame) be converted back to its original value. Instead you have to compare it using password_verify() to the unhashed value the user enters when they return and attempt to login using the same password.
$password = 'vancab123';
$hashed_pwd = password_hash($password);
// test the hashed password
if ( password_verify($password, $hashed_pwd) ) {
//password entered is OK
} else {
//password entered is WRONG
}
ADDITION after you clarified your question:
Read this for a Remember me functionality What is the best way to implement "remember me" for a website?
A hash is a one way transformation of an arbitrary value. They are by nature irreversible. In your case you will have to hash the password provided by the user, retrieve the value from the db, and do the comparison of both hashed values.
The only alternative would be the paradigm behind a rainbow attack, in which you hash every conceivable possibility and store them as key value pairs, but that is a lot of data.
I've used the following instructions to install a mail server:
http://www.geoffstratton.com/ubuntu-mail-server-postfix-dovecot-and-mysql
Now I'm trying to program a login form in PHP but don't know how to compare the entered password with the saved password.
This is the mysql-code for the password encryption:
ENCRYPT('PASSWORD', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16)))
I don't understand how it works because with every call of this function a completely new string is being generated.
This is what I have so far:
crypt($_POST[‘password’], '$6$'.substr(sha1(rand()), 0, 16))
But as I said every time I get a new string.
Use the PHP functions password_hash and password_verify.
These functions salt and iterate to provide secure protection.
See PHP Manual password_hash and password-verify.
string password_hash ( string $password , integer $algo [, array $options ] )
Returns the hashed password, or FALSE on failure.
boolean password_verify ( string $password , string $hash )
Returns TRUE if the password and hash match, or FALSE otherwise.
Example code:
$hash = password_hash("rasmuslerdorf", PASSWORD_DEFAULT)
if (password_verify('rasmuslerdorf', $hash)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
In your case you grab the password hash for that username from the database, and keep it in a variable called $hash. Then you use password_verify() like this:
password_verify($_POST["password"], $hash)
Consider the case where a password is simply stored as its hash. Anyone reading the data would have a hard job working out what the password actually is, however its not impossible, indeed there are online database containg vast numbers of indexed hashes and the corresponding cleartext - its possible to simply lookup the hash for commonly chosen passwords. Further, consider the case if two users had the same hash - that also means anyone reading the data would know they had the same password.
Both these problems are addressed on secure system by adding a random string, known as a salt to the cleartext. This salt is only generated once and is then stored alongside the password.
So the data you have stored is $6$[salt]$[hash of (salt + password)]
To verify the password you recreate the hash using the stored salt and the password presented and compare that with stored hash. The crypt function ignores any data after the salt, so you simply do this:
if ($stored === crypt($_REQUEST['password'], $stored)) {
// Password is valid
The code you are using has very low entropy in its salt derivation - this is probably adequate for most purposes but not in highly secure contexts.
I am searching the internet for what type of hashing algorithm should I use to store passwords in MySQL database and for sending email confirmation messages with hashed token, the algorithm should include:
1- at least 14 chars random salt (uding udev random)
2-a key that will be stored on the server
3-timestamp
4-a very strong and secure hashing algorithm using the function hash_***(is this the best?)
I haven't found elegent code that workds, could you please show me
Thank you
Follow the examples provided in PHP the Right Way under password hashing:
require 'password.php';
$passwordHash = password_hash('secret-password', PASSWORD_DEFAULT);
if (password_verify('bad-password', $passwordHash)) {
// Correct Password
} else {
// Wrong password
}
DO NOT under any circumstances "invent" your own algorithm. These are notoriously tricky to get right and unless you have a background in cryptography you will almost certainly get it dangerously wrong.
Somebody should pls guide me on how i can fetch out hashed password from database and match the password entered by a user when login in
i used php crypt() function with bcrypt algorithms to hash the password when registrian the user
thank you all in advance
From the documentation:
$hashed_password = crypt('mypassword'); // let the salt be automatically generated
if (crypt($user_input, $hashed_password) == $hashed_password) {
echo "Password verified!";
}
You need to pass in the original hash, otherwise crypt will generate a random salt and the passwords are very unlikely to match. I.e.
//BROKEN - will almost always print "Bugger off!".
$hash = crypt('Hello world');
$attempt = crypt('Hello world');
if($hash === $attempt){
echo "Access granted!";
}else{
echo "Bugger off!";
}
You don't need to "fetch" the hash from the database, you just hash the given password (from a login attempt I assume) and match THAT hash against the password column of a database. if a match is found where the password column matches the hash that you just made AND the username is a match, then the password is valid.
Thank you all, if i really get your explanations you mean i should hash the coming password from a user attempting to login and then compare the hash value with the one in DB
EXAMple
$salt=//the bcrypt algorithms format, cost parameter and the salt goes here, thesame with the one use when registrian
$coming_pass= crypt( $password, $salt)
mysqli_query ( SELECT from user WHERE username= $username AND
password= $coming_pass)
you just send the unencrypted password into the same crypt process as you did with the encrypted password, then they should match.
PHP has built in Options to do that, look at Creating a Hash, and Verifying a Hash
pseudo-code
hashed password = hp
plain text password = p
seed (Random Number generated by server) = s
hash algorithm (md5, sha1, sha256, ...) = hash
Example with Seeded Hash
hp = hash(p + s)
the order you set the seed is not important, as long you do it the same way every time, by Concatenate the password and seed
Example without Seeded Hash
hp = hash(p)
you will need to save the hp and seed, the p should NEVER be saved by the server, as Plain Text Passwords is a security issue.
C# Code Example:
static public bool IsPasswordCorrect(string hp, string seed, string enteredPasword)
{
return (hp == Sha1(String.Concat(enteredPasword, seed)));
}
this way you have no direct way to get the password from the database, and only the actual Client will have the Plaintext Password.
if you want a 2-way encryption algorithm, you will need to look at RSA, but it is way more complicated and requires a lot of knowledge to make secure.
Is there a way to compare passwords stored in database after being encrypted in sha2() and the password entered by users during login without encrypting the login-time-password? Actually I want to match the passwords character by character and pass for a match in either of upper case or lower case i.e. in other words is there a function or method to de-crypt the saved password before comparison?
What you want to do sounds fishy.
Anyway no you can't recover a hashed string
You can't "decrypt" a SHA hash. Instead, compare the SHA version of the entered password with the stored passwords in the database (also hashed).
$enteredpass = $_POST['password'];
$enteredpass = sha2($enteredpass);
$realpass = sha2('password123'); //Yup, best password EVAR!! xD
if ($enteredpass == $realpass) {
echo "THE PASSWORD IS CORRECT!! :D";
}
else {
echo "THE PASSWORD IS INCORRECT!!";
}
You probably want to use a database, but this is just a simple example... ;)