0

I would very much like to know how to add a random salt to the following code, I've been looking around the Internet, but I haven't figured it out yet, at least not the "PDO way" (if it even makes a difference)?

Anyway, I've got this code:

login.php:

<html>
    <head>

        <link type="text/css" rel="stylesheet" href="css/style.css" />
    </head>
<body>

<div id="loginForm">

    <?php
    // form is submitted, check if acess will be granted
    if($_POST){

        try{
            // load database connection and password hasher library
            require 'libs/DbConnect.php';
            require 'libs/PasswordHash.php';

            // prepare query
            $query = "select email, password from users where email = ? limit 0,1";
            $stmt = $con->prepare( $query );

            // this will represent the first question mark
            $stmt->bindParam(1, $_POST['email']);

            // execute our query
            $stmt->execute();

            // count the rows returned
            $num = $stmt->rowCount();

            if($num==1){

                //store retrieved row to a 'row' variable
                $row = $stmt->fetch(PDO::FETCH_ASSOC);

                // hashed password saved in the database
                $storedPassword = $row['password'];

                // salt and entered password by the user
                $salt = "whatever";
                $postedPassword = $_POST['password'];
                $saltedPostedPassword = $salt . $postedPassword;

                // instantiate PasswordHash to check if it is a valid password
                $hasher = new PasswordHash(8,false);
                $check = $hasher->CheckPassword($saltedPostedPassword, $storedPassword);

                /*
                 * access granted, for the next steps,
                 * you may use my php login script with php sessions tutorial :)
                 */
                if($check){
                    echo "<div>Access granted.</div>";
                }

                // $check variable is false, access denied.
                else{
                    echo "<div>Access denied. <a href='login.php'>Back.</a></div>";
                }

            }

            // no rows returned, access denied
            else{
                echo "<div>Access denied. <a href='login.php'>Back.</a></div>";
            }

        }
        //to handle error
        catch(PDOException $exception){
            echo "Error: " . $exception->getMessage();
        }


    }

    // show the registration form
    else{
    ?>

    <!-- 
        -where the user will enter his email and password
        -required during login
        -we are using HTML5 'email' type, 'required' keyword for a some validation, and a 'placeholder' for better UI
    -->
    <form action="login.php" method="post">

        <div id="formHeader">Website Login</div>

        <div id="formBody">
            <div class="formField">
                <input type="email" name="email" required placeholder="Email" />
            </div>

            <div class="formField">
                <input type="password" name="password" required placeholder="Password" />
            </div>

            <div>
                <input type="submit" value="Login" class="customButton" />
            </div>
        </div>
        <div id='userNotes'>
            New here? <a href='register.php'>Register for free</a>
        </div>
    </form>

    <?php
    }
    ?>

</div>

</body>
</html>

register.php

<html>
    <head>
        <link type="text/css" rel="stylesheet" href="css/style.css" />
    </head>
<body>

<div id="loginForm">

    <?php
    // save the username and password
    if($_POST){

        try{
            // load database connection and password hasher library
            require 'libs/DbConnect.php';
            require 'libs/PasswordHash.php';

            /* 
             * -prepare password to be saved
             * -concatinate the salt and entered password 
             */

            $salt="whatever";
            $password = $salt . $_POST['password'];

            /* 
             * '8' - base-2 logarithm of the iteration count used for password stretching
             * 'false' - do we require the hashes to be portable to older systems (less secure)?
             */
            $hasher = new PasswordHash(8,false);
            $password = $hasher->HashPassword($password);

            // insert command
            $query = "INSERT INTO users SET email = ?, password = ?";

            $stmt = $con->prepare($query);

            $stmt->bindParam(1, $_POST['email']);
            $stmt->bindParam(2, $password);

            // execute the query
            if($stmt->execute()){
                echo "<div>Successful registration.</div>";
            }else{
                echo "<div>Unable to register. <a href='register.php'>Please try again.</a></div>";
            }

        }

        //to handle error
        catch(PDOException $exception){
            echo "Error: " . $exception->getMessage();
        }
    }

    // show the registration form
    else{
    ?>

    <!-- 
        -where the user will enter his email and password
        -required during registration
        -we are using HTML5 'email' type, 'required' keyword for a some validation, and a 'placeholder' for better UI
    -->
    <form action="register.php" method="post">

        <div id="formHeader">Registration Form</div>

        <div id="formBody">
            <div class="formField">
                <input type="email" name="email" required placeholder="Email" />
            </div>

            <div class="formField">
                <input type="password" name="password" required placeholder="Password" />
            </div>

            <div>
                <input type="submit" value="Register" class="customButton" />
            </div>
            <div id='userNotes'>
                Already have an account? <a href='login.php'>Login</a>
            </div>
        </div>

    </form>

    <?php
    }
    ?>

</div>

</body>
</html>

Now, how do I create a randomly generated salt?

Undo
  • 25,519
  • 37
  • 106
  • 129
user2734766
  • 3
  • 3
  • Duplicate of: http://stackoverflow.com/questions/2513734/generating-a-salt-in-php ... PDO is irrelevant. – Lee Salminen Mar 26 '14 at 21:47
  • If you generate a random salt, won't you have store the salt so that they can log in again if they create an account? Because next time they try to login, it will generate another random salt, and therefore no records will match. – KevBot Mar 26 '14 at 22:37
  • possible duplicate of [Secure random number generation in PHP](http://stackoverflow.com/questions/1182584/secure-random-number-generation-in-php) – jww Mar 26 '14 at 23:45

1 Answers1

2

Use password_hash (as of PHP 5.5). It will take care of everything for you.

There is a compatibility wrapper for older PHP versions.

TimWolla
  • 31,849
  • 8
  • 63
  • 96