0

I am trying to encrypt my 'password' column with SHA2. The problem is that the injection to MYSQL is through a $_POST variable, so I don't understand where i should put the SHA2().

Here is my 'insert' page (inscreate.php):

  <?php
    include 'header.php';
    $ins="INSERT INTO users (uname, pwrd, bdate, mail)
        VALUES ('$_POST[uname]','$_POST[pwrd]','$_POST[bdate]','$_POST[mail]')";
if (!mysqli_query($con,$ins))
      {
      die('Error: ' . mysqli_error($con));
      }
    echo "User added! You will be returned to the index page!";

    mysqli_close($con);
    ?>

From what I have read I have to put it in the 'value' section of my insert query: http://coderlearner.com/MySQL_Encryption-Decryption_Example_SHA2

So I tried these combinations:

$ins="INSERT INTO users (uname, pwrd, bdate, mail)
            VALUES ('$_POST[uname]','SHA2($_POST[pwrd])','$_POST[bdate]','$_POST[mail]')";

but then if the password was for example: mypass, the output in my database was this: SHA2(mypass)

I tried this:

$ins="INSERT INTO users (uname, pwrd, bdate, mail)
    VALUES ('$_POST[uname]',$_POST[SHA2(pwrd)]','$_POST[bdate]','$_POST[mail]')";

But then I get a Parse error(which I understand why, but still I was just trying) So my question is: Does anyone know how I encrypt a $_POST??

caelin
  • 236
  • 1
  • 2
  • 13
  • 2
    This code is highly vulnerable to [SQL Injection](http://bobby-tables.com/). Please take time to fix this – Touki Apr 24 '14 at 09:04

3 Answers3

2

Look at the examples again.

mysql> INSERT INTO userpassword(id, username,password)
    -> VALUES(null,'Lili',SHA2('mypassword1',256));

The quotes go around the string. The SHA2() function call goes around the quotes.

Also SHA2() takes two arguments.

'SHA2($_POST[pwrd])'

should be:

SHA2('$_POST[pwrd]', 256)

… but don't stick the POST data directly into your SQL. It makes you vulnerable to SQL injection attacks that you need to defend yourself from.

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Could you explain how I Should do it then?? Or better give me hint so i can figure out?? – caelin Apr 24 '14 at 09:05
  • @caelin — Follow the links. – Quentin Apr 24 '14 at 09:05
  • You were right!! this works!! I'll accept your answer in a minute, and i will check the links. – caelin Apr 24 '14 at 09:09
  • erm to be honest I don't get a single word of the answer in here http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php – caelin Apr 24 '14 at 09:19
  • @caelin: If a malicious user inputs his password as `mypassword'); DROP TABLE users;--` then there's a chance of being vulnerable to SQL injection, see http://bobby-tables.com/ or search on StackOverflow for more info – Léo Lam Apr 24 '14 at 09:24
  • @LéoLam: yes that is the part i understood but i don't get the variable $stmt, i don't get that part. Is it in already existing variable or did he just create it; do i have to use pdo for insertion? – caelin Apr 24 '14 at 09:32
  • @caelin — He created it, you can see him creating it on line one of each of the examples. You don't have to use PDO, the second example uses mysqli. – Quentin Apr 24 '14 at 09:34
  • @LéoLam: yes but that is 'SELECT' and I;m using insert – caelin Apr 24 '14 at 09:35
  • @caelin — It doesn't matter if the query is a SELECT query or an INSERT query. The problem is about inserting variables into any kind of query. – Quentin Apr 24 '14 at 09:36
  • @LéoLam: could you exlpain the mysqli example please?? – caelin Apr 24 '14 at 09:48
  • 1
    @caelin: basically, you are using parameters in the query (the `?` in the query) and then later you're binding the variables to the parameters (in the example, `$name` to the `?`) - this prevents SQL injection – Léo Lam Apr 24 '14 at 10:02
1

The SHA* hash functions are not appropriate for passwords because they are ways too fast. Another problem in your example is, that you are generating unsalted hashes. Have a look at the PHP function password_hash(), it will generate a BCrypt hash and takes care of the generation of a safe salt. There exist also a compatibility pack for older PHP versions.

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

This also means that you cannot verify the password directly within the SQL statement, instead read the hash from the database (by username), then call password_verify() with this hash.

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
  • The SHA* hash functions are not appropriate for passwords because they are ways too fast. What does this mean? – Koray Tugay Apr 24 '14 at 09:34
  • Fast algorithms make brute-forcing much easier, you can for example calculate [3 Giga](http://hashcat.net/oclhashcat/#performance) SHA1 hashes per second with common hardware. That's why one should use a hash function with a cost factor, there you can determine how much time you want to spend for hashing one password, for example 1 ms. I wrote a tutorial about [safely storing password](http://www.martinstoeckli.ch/hash/en/index.php), where i tried to explain this more indepth. – martinstoeckli Apr 24 '14 at 09:38
0

Use SHA2('$_POST[pwrd]',256) insted of 'SHA2($_POST[pwrd])'

$ins="INSERT INTO users (uname, pwrd, bdate, mail)
       VALUES 
('$_POST[uname]',SHA2('$_POST[pwrd]',256),'$_POST[bdate]','$_POST[mail]')";
Sadikhasan
  • 18,365
  • 21
  • 80
  • 122
  • 1
    It's closer than i've gotten, but i get this error: Error: Incorrect parameter count in the call to native function 'SHA2' – caelin Apr 24 '14 at 09:04