7

I have some code to register that works, but I don't know how to hash the password. I want to use sha512.

$con=mysqli_connect("localhost","root","","users");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

$sql="INSERT INTO users (username, password, email)
VALUES
('$_POST[username]','$_POST[password]','$_POST[email]')";

if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "Thank you.";

mysqli_close($con);

I am aware of my mysql login having no password. This is a local mysql server just used for tests.

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
Trevor Zucker
  • 135
  • 2
  • 3
  • 8
  • 1
    hashing is not encrypting. sha512 is a hashing algorithm. your passwords will not be retrievable once hashed. – Russell Uhl Jul 22 '13 at 21:01
  • @Russell Passwords should not be retrieved, so that is not a problem. On future validation attempts, the supplied password will be hashed and matched to the stored hash. – George Cummins Jul 22 '13 at 21:02
  • @GeorgeCummins I agree it's not an issue. I'm more worried about the incorrect term being used. Namely, he does not want to ENCRYPT anything. The two words are not interchangeable. – Russell Uhl Jul 22 '13 at 21:07
  • 2
    I know that this question is rather old, but because most of the answers get it wrong (no salts, only simple sha512), here is a post on how to [hash passwords in PHP](https://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php). And if you are interested in password hashing in general check out this post about [hashing passwords correctly](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords). – tim Mar 23 '15 at 12:16

5 Answers5

5

You can use the hash() function to hash your password:

$hashed_password = hash('sha512', $_POST['password']);

Then modify your insert statement to insert your hashed password into the database:

INSERT INTO users (username, password, email)
VALUES ('$_POST[username]', '$hashed_password', '$_POST[email]');

Be aware that your SQL statement is vulnerable to SQL injection since you are using unsanitized user input. For improved security and to protect the integrity of your data, please consider escaping and validating the input before using it in an SQL statement. One way to accomplish this is via mysqli_real_escape_string():

$escaped_username = mysqli_real_escape_string( $con, $_POST['username'] );
$escaped_email = mysqli_real_escape_string( $con, $_POST['email'] );
George Cummins
  • 28,485
  • 8
  • 71
  • 90
  • hashing is not encrypting! However, good call on the sql injection – Russell Uhl Jul 22 '13 at 21:00
  • @Russell I updated to replace the offending word. The OP wants hashing despite the question title: "_I want to use sha512._" – George Cummins Jul 22 '13 at 21:01
  • 1
    Thanks. I'm a little overly paranoid when it comes to security, so I tend to always jump on it when people confuse "hash" and "encrypt". I don't like those terms becoming confused, because they are very different things. It is unfortunate that so many people use them interchangeably without knowing any better. I hope i did not offend :) – Russell Uhl Jul 22 '13 at 21:04
  • The hashing works, thank you, but now I'm getting errors on the anti-injection part of the code: Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\wamp\www\users\insert.php on line 10 Line 10: $eusername = mysqli_real_escape_string( $_POST['username'] ); $sql="INSERT INTO users (username, password, email) VALUES ('$eusername','$hpassword','$eemail')"; – Trevor Zucker Jul 22 '13 at 21:17
  • @Trevor My apologies. `mysqli_real_escape_strong` expects the link as the first parameter. I have updated the answer to reflect that requirement. – George Cummins Jul 22 '13 at 21:18
  • @GeorgeCummins Aha I see you've read my answer (mysqli_real_escape_string) ;-)= – Markus Hofmann Jul 22 '13 at 22:05
  • @Markus Do you mean the one you posted 1 minute and 55 seconds after me? Yes, I saw it. ;) – George Cummins Jul 22 '13 at 22:41
  • 1
    if you are concerned with security I would give this a read: http://crackstation.net/hashing-security.htm has some in depth knowledge that you should read and then extend upon if you are looking to build a secure application. – Cameeob2003 Jul 23 '13 at 00:47
  • Downvote due to improper password hashing. – Lucas Kauffman Mar 22 '15 at 21:08
3

There are a lot of problems with what you're doing here.

First, you are vulnerable to SQL injections because you are not sanitizing your inputs in the SQL.

Second, you should avoid using a fast hash like SHA512 for this. It's not considered secure anymore. Take a look at this question. You basically want to use an adaptive hash function like bcrypt.

Community
  • 1
  • 1
Oleksi
  • 12,947
  • 4
  • 56
  • 80
1

Here's an example of how to hash the password:

<?php
$password = hash('sha512', $_POST[password]);

I recommend salting the password. Read more about this here:
http://www.aspheute.com/english/20040105.asp

Also read about "mysqli_real_escape_string"

…and Prepared Statements.

Markus Hofmann
  • 3,427
  • 4
  • 21
  • 31
  • Downvote due to improper password hashing. – Lucas Kauffman Mar 22 '15 at 21:08
  • The content in a given link is outdated. SHA1 is no longer secure. Plus, since the question is about PHP, not ASP, I suggest updating your link to a more relevant, e.g.: http://php.net/manual/en/faq.passwords.php – Nookeen Oct 26 '17 at 09:44
1

Sanitize your input data first. $password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING);

Hash your password string

$hashedPassword = hash('sha512', $password);

A better way to hash the password would be to use the new password hash API

$hashedPassword = password_hash($password, PASSWORD_DEFAULT);
tlenss
  • 2,609
  • 2
  • 22
  • 26
  • 5
    **BAD** idea to sanitize a password. YOu'd be throwing away any special chars the user may have wanted to actually **HAVE** in their password. As well, any sql injection-type characters would be gone anyways after you hash it in php. – Marc B Jul 22 '13 at 21:01
  • You got a good point there! – tlenss Jul 22 '13 at 21:02
-2

Please escape your data before entering into your database. They are open to attacks.

hash('sha512', $_POST['password']);
Becs Carter
  • 1,250
  • 1
  • 12
  • 27