Jump to content
Fellixombc

Basic PHP Security

Recommended Posts

Password Hashing.

This is a tutorial on making a basic salt function, which enhances your security in general.

Why should I hash my passwords?
You are responsible for keeping your user's passwords safe. If your database is ever compromised (well, if it is, you have a bigger problem on your hands rather then the passwords), and your passwords are hashed n salted, theres a good chance that the 'hacker' cannot 'crack' them.

First, lets start out with hash functions.

The two most typically used hash functions are: md5 and sha1. Sha1 is better then md5 because sha1 has a 160bit hash-value opposed to md5 which has a 126bit hash-value. Want more security with hashes? Look into other functions, such as sha256, etc.

Writing out first salt function.

Its a very easy thing to do, in fact, its about a total of 6 lines, in all!


<?php
function salt($password) {
$salt = 'RANDOM_CHARACTERS_NUMBERS_HERE';
return sha1($salt.$password);
}
?>
[/PHP]

Lets go through the function line by line.

[PHP]
$salt = 'RANDOM_CHARACTERS_NUMBERS_HERE';

Here, we are basically setting the salt, the salt is suppose to be a random/long string, that contains numerals, characters, etc.

return sha1($salt.$password);

Here, we are hashing the password with the salt, so, if the password was "qwerty", before we hashed it, it would be "RANDOM_CHARACTERS_NUMBERS_HEREqwerty", and after we hashed it, it would be completely different.

Sql Injection saftey

Sql injections are bad, really bad, especially if you have a quite large database.

Sql injections are security exploits which allow you to do many things, one of which, drop a table in the database. The best way to make your application sql injection safe, is the simple function mysql_real_escape_string();

Basically, when a user inputs data into a database, it runs a query. In this query, harmful sql commands can be inputted. The mysql_real_escape_string function strips the query of any harmful sql commands.

So how do I use it?


<?php
$query = sprintf("SELECT * FROM users WHERE username = ".$username,
mysql_real_escape_string($username));
?>
[/PHP]

Its that easy, simply just use the sprintf function, and the run the mysql_real_escape_string function on anything that is inputted data from the user.
[/indent]

[/indent]

And thats it!

Share this post


Link to post
Share on other sites

Thank you, I will be using this. (Credit provided ofc)

Share this post


Link to post
Share on other sites

sha512 is what the cool kids use by the way.

Share this post


Link to post
Share on other sites

Thank you.

Edited by Faab234

Share this post


Link to post
Share on other sites

Very Nice Tutorial, I'm 100% Sure alot of people will be using this:)

Share this post


Link to post
Share on other sites

no problem guys

sha512 is what the cool kids use by the way.

haha

Share this post


Link to post
Share on other sites

Good post! Good for newbies! :)

Share this post


Link to post
Share on other sites

Good tutorial for the starters. I would suggest using this (salt) as a hash instead of md5.

Share this post


Link to post
Share on other sites

You could add more about mysql injection striptags/slashes and things :D nice tut though

Share this post


Link to post
Share on other sites
For the salt it would be a lot better instead of using a default character based set. You create a random word and number generating system kind of like how vBulletin hashes the password. Also, md5 and salt is a lot better than sha1 and salt. There both pretty much impossible to decrypt but md5 has a better reputation of password hashing.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×