0

I have found an article with the code below on the web I want to use to learn more php/mysql...

$username = 'Admin';
$password = 'gf45_gdf#4hg';

$salt = hash('sha256', uniqid(mt_rand(), true) . 'a random string will go here' . strtolower($username));

$hash = $salt . $password;

for ( $i = 0; $i < 100000; $i ++ ) {
     $hash = hash('sha256', $hash); }

$hash = $salt . $hash;

How would I validate the password in PHP when a user wants to log in?

Mike
  • 23
  • 1
  • 4
  • 1
    read a better article –  Apr 18 '13 at 00:12
  • that does not answer my question.. – Mike Apr 18 '13 at 00:13
  • When the user (or you) select a password, you hash it with a salt, and keep the salt and hash for later use. You have no idea what the password is, as you don't keep that, that's the point. When the user sends his password to the site thru a form or somethin similar, you again hash that password with the same salt, and see if it matches the hash you have stored. If it does, log the user in! – adeneo Apr 18 '13 at 00:17
  • well this is hardly a new or original one, it has been covered a few thousand times, so it seems pointless writing another one –  Apr 18 '13 at 00:17
  • do i need to store the salt for every password generated if it's random(different) for every user? – Mike Apr 18 '13 at 00:18
  • there is no answer to my question in that post.. – Mike Apr 18 '13 at 00:20
  • lead a horse to water ... –  Apr 18 '13 at 00:22
  • @Mike You should separate the salt when storing. `$hash = $salt . ":" . $hash;` then later on, you can split on the : to have access to the salt and password separately. – Andrew Ty. Apr 18 '13 at 00:35
  • 1
    @AndrewTy, Or just create a separate database column for the hash – Jonah Apr 18 '13 at 00:36
  • @Jonah Also a valid solution. – Andrew Ty. Apr 18 '13 at 00:45

2 Answers2

1

You would run the exact same procedure and see if the results match.

This is a general procedure for seeing if a sumbitted password stores a matched password.

  • You create a function which hashes and stores the known password, and typically salts it as well
  • You store that in the database
  • When the user submits a password to login, you run it through the exact same hashing and salting algorithm, and see if the resulting hash matches the hash stored in the database

You should also consider using bcrypt instead: How do you use bcrypt for hashing passwords in PHP?

Community
  • 1
  • 1
Jonah
  • 15,806
  • 22
  • 87
  • 161
  • so I use the same salt for every user? – Mike Apr 18 '13 at 00:32
  • each user should have his own salt, which is stored in the database alongside the hashed password. just make sure that the same salt is used in the verification process as was used when the password was originally hashed and stored in the database. – Jonah Apr 18 '13 at 00:33
0

It's recommended to compose a function within PHP that similarly mimics the process you've outlined above. That way, when you're attempting to validate submitted credentials, you will run the password through the same hashing process as it was during conception with the exception of generating the random salt.

Andrew Ty.
  • 667
  • 6
  • 12
  • It's just about the validation, I have the rest covered. So, I would need to check the value of $hash against the value stored in the DB? – Mike Apr 18 '13 at 00:16
  • @Mike, in your exact example, you would take the submitted password, add the salt to it, and run in through the same hashing loop with 10000 iterations. Then you see if the result matches what's stored. See my edited reply. – Jonah Apr 18 '13 at 00:18
  • Edited to reflect the scope you provided @Mike – Andrew Ty. Apr 18 '13 at 00:26