I don't know how to use salt

Question

this is my register code:

<?php 

session_start();  //Must Start a session. 

require "config.php"; //Connection Script, include in every file! 

//Check to see if the user is logged in. 
//'isset' check to see if a variables has been 'set' 
if(isset($_SESSION['username'])){ 
header("location: members.php"); 
} 

//Check to see if the user click the button 
if(isset($_POST['submit'])) 
{ 
//Variables from the table 
$user  = $_POST['user']; 
$pass  = $_POST['pass']; 
$rpass = $_POST['rpass']; 
$email = $_POST['email'];

//Prevent MySQL Injections 
$user  = stripslashes($user); 
$pass  = stripslashes($pass); 
$rpass = stripslashes($rpass);
$email = stripslashes($email); 

$user  = mysqli_real_escape_string($con, $user); 
$pass  = mysqli_real_escape_string($con, $pass); 
$rpass = mysqli_real_escape_string($con, $rpass); 
$email = mysqli_real_escape_string($con, $email); 


//Check to see if the user left any space empty! 
if($user == "" | $pass == "" | $rpass == "" | $email == "") 
{ 
  echo "Alstublieft, vul alle vakjes in!"; 
} 

else 
{ 
  //Check too see if the user's Passwords Matches! 
  if($pass != $rpass) 
  { 
     echo "Passworden komen niet overeen! Probeer het opnieuw"; 
  } 

  //CHECK TO SEE IF THE USERNAME IS TAKEN, IF NOT THEN ADD USERNAME AND PASSWORD INTOT HE DB 
  else 
  { 
     //Query the DB 
     $query = mysqli_query($con,"SELECT * FROM users WHERE username = '$user'") or die("Kan het niet in de tabel zetten!"); 

     //Count the number of rows. If a row exist, then the username exist! 
     $row = mysqli_num_rows($query); 
     if($row == 1) 
     { 
        echo "Sorry, maar die username is al in gebruik! Probeer het opnieuw."; 
     } 

     //ADD THE USERNAME TO THE DB 
     else 
     { 
        $add = mysqli_query($con,"INSERT INTO users (id, username, password, email) VALUES (null, '$user' , '$pass', '$email') ") or die("Kan niet toevoegen!"); 
        echo "Gelukt! <a href='login.php'> Klik hier </a>om in te loggen!"; 
     } 


   }       

  } 

} 
?>

But how do I use salt in it? I know it's an extra security but I don't know how to use it. I looked on the internet and tried some code but every time it doesn't work.

Since you're not even hashing your password, there's no point in talking about salts just yet. — deceze, Jan 16 '14 at 08:51
possible duplicate of [Secure hash and salt for PHP passwords](http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) — deceze, Jan 16 '14 at 08:52
I wrote a small tutorial about [secure storing of passwords](http://www.martinstoeckli.ch/hash/en/index.php), maybe you could have a look at it. — martinstoeckli, Jan 16 '14 at 16:14

score 2 · Answer 1 · answered Jan 16 '14 at 09:07

2

Before using a salt, you should consider storing the password in hashed form. This means that someone looking into your DB can't see the password plain-text. A salt does not help with plain-text passwords. A salt secures hashed passwords against so-called "rainbow table attacks".

For your convenience, password_hash() already hashes a password completely with a randomly generated salt. Just put the result into the database.

To check if the user-provided password matches the one stored in the database, use password_verify()

answered Jan 16 '14 at 09:07

Alexander

19,906
19
75
162

I used this function password_hash() but it is resulting in different hash each time. How can I authenticate at login? – spacemonkey Jul 10 '14 at 14:12
Either read my post to the end: **"To check if the user-provided password matches the one stored in the database, use password_verify()"** *or* read the official PHP documentation, where password_verify() is even linked from http://de2.php.net/manual/en/function.password-hash.php#refsect1-function.password-hash-returnvalues – Alexander Jul 10 '14 at 15:07

score 0 · Answer 2 · answered Jan 16 '14 at 08:57

For creating password hashes, use the crypt() function. You can specify a salt as an optional parameter:

$hashed_password = crypt( $password, "mysalt" );

$hashed_password now contained the encrypted hash of your password. Supplying the salt, as opposed to letting the system automatically generate one for you, will generate an E_NOTICE as of PHP 5.6. It's more secure to specify your own salt.

The encrypted hash of your password now contained the salt, and can be used as the salt when doing a comparison. So when authenticating the user, if $password contains the password specified by the user, you can compare it like this:

if( crypt( $password, $hashed_password ) == $hashed_password ) {
    // Password matches
}

Your example is a bit misleading, it generates an unsafe hash, instead use a slow key-derivation function like BCrypt. The function [password_hash](http://www.php.net/manual/en/function.password-hash.php) generates a safe salt for you, so don't pass your own salt there, it's easy to make a mistake. — martinstoeckli, Jan 16 '14 at 16:18

score -1 · Answer 3 · answered Jan 16 '14 at 08:50

-1

What you really need to do when you want to use salt is:

$passwordForDB = md5('your_salt_string_here'.$pass);

when you do registration.

and then in login script you simply do:

$password = md5('your_salt_string_here'.$_POST['pass']);

if ($passwordFromDB = $password) {
 echo 'Hi User!';
}

That's what we call salt realy, It's just mixing encrypted data, like generated keys or passwords hashes

PHP also gives you function

password_hash()

I advies you to check it in documentation. You can use salt ther as well just concat your salt string with password you are going to hash

answered Jan 16 '14 at 08:50

Adrian Modliszewski

1,114
2
18
31

1

1) That's not a salt, that's a pepper. 2) Don't recommend MD5 anymore, it's unsuitable for the task. – deceze Jan 16 '14 at 08:53
2

-1 An MD5 hash can be calculated 81 billion times a second so you can brute force it trivially http://hashcat.net/oclhashcat/ – ta.speot.is Jan 16 '14 at 08:54

I don't know how to use salt

3 Answers3