Hash output is the same for every word

Question

I'm trying to hash my inserted passwords in PHP but whatever password I insert, the SHA output is always the same. Here are my files, create-user.php:

<?php include 'header.php' ?>
<body>
  <form action="insert-user.php" method="post" role="form">
    <div class="form-group">
      <label for="username">Enter Username:</label>
      <input type="text" class="form-control" name="username" placeholder="e.g. username12" required>
    </div>
    <div class="form-group">
      <label for="password">Enter Password:</label>
      <input type="password" class="form-control" name="password" placeholder="e.g. mypass912" required>
    </div>
    <div class="form-group">
      <label for="email">Enter Email Address:</label>
      <input type="email" class="form-control" name="email" placeholder="e.g. myemail56@hotmail.com" required>
    </div>
    <div class="form-group">
      <label for="bdate">Your Birthdate:</label>
      <input type="date" class="form-control" name="bdate" required>
    </div>
    <button type="submit" class="btn btn-default">Submit</button>
  </form>
</body>
</html>

Here the insert-user.php:

<?php
include 'header.php';
$username=mysqli_real_escape_string($con,$_POST['username']);
$password=mysqli_real_escape_string($con,hash('sha256','$_POST[password]'));
$email=mysqli_real_escape_string($con,$_POST['email']);
$bdate=mysqli_real_escape_string($con,$_POST['bdate']);

$sql="INSERT INTO users (username,password,email,bdate)
    VALUES('$username','$password','$email','$bdate')";
if (!mysqli_query($con,$sql)) {
  die('Error: ' . mysqli_error($con));
}
    echo "User added!";

mysqli_close($con);
?>

Could someone explain how I can get the SHA2 function working correctly?

When using `mysqli` you should be using parameterized queries and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/). Additionally, using SHA256 to hash passwords is **completely inadequate** and will expose your users to severe risks if your database is ever compromised. When writing this, be sure to check a [security reference guide](http://www.phptherightway.com/#security) do it correctly. — tadman, May 27 '14 at 18:10
Please have a look at the function [password_hash()](http://www.php.net/manual/en/function.password-hash.php), fast hash algorithms like SHA* should not be used to hash passwords. — martinstoeckli, May 27 '14 at 20:00

tadman · Accepted Answer · 2014-09-16T16:40:10.793

2

This version uses bind_param and the proper password encoding mechanism:

<?php
include 'header.php';

$sql = "INSERT INTO users (username,password,email,bdate) VALUES(?,?,?,?)";

$stmt = mysqli_prepare($con, $sql);

mysqli_stmt_bind_param('ssss',
  $_POST['username'],
  password_hash($_POST['password'), PASSWORD_DEFAULT),
  $_POST['email'],
  $_POST['bdate']
);

if (!mysqli_stmt_execute($con,$stmt)) {
  die('Error: ' . mysqli_error($con));
}
    echo "User added!";

mysqli_close($con);
?>

It's a lot easier to get the quoting right when you don't have to worry about it in the first place.

edited Sep 16 '14 at 16:40

answered May 27 '14 at 18:17

tadman

208,517
23
234
262

1

This is really the correct answer. Good job on actually fixing their code to be what it should be instead of fixing the small problem that I did. – Jonathan Kuhn May 27 '14 at 18:23
I am really late with this, I know. But I don't see what I have to use the password.php for?? Since I don't have it in the first place. – caelin Sep 16 '14 at 16:34
That can probably be ignored, so I've removed it. Key here is to use the `password_hash` function and the `bind_param` method of adding data to your query. Both of those are necessary to ensure that you've made a secure system. – tadman Sep 16 '14 at 16:40
Hmmm it still doesn't work, I get an empty output, no error or anything. Any idea or should I post a new question? – caelin Sep 16 '14 at 17:13
Be sure to [enable exceptions](http://stackoverflow.com/questions/14578243/turning-query-errors-to-exceptions-in-mysqli) so you'll know if something produces an error. No output, no errors may mean it's not even running the right script or block of code. – tadman Sep 16 '14 at 18:45

score 1 · Answer 2 · answered May 27 '14 at 18:03

1

remove the quotes from around '$_POST[password]'. When a variable is placed inside of single quotes, it the variable is not translated into it's value. It is the literal string. In your code you are just hashing the string $_POST[password] every time, not the variable.

answered May 27 '14 at 18:03

Jonathan Kuhn

15,279
3
32
43

Thankyou, I can accept your answer in a couple of minutes, so I will – caelin May 27 '14 at 18:05

score 1 · Answer 3 · answered May 27 '14 at 18:06

1

change

$password=mysqli_real_escape_string($con,hash('sha256','$_POST[password]'));

to

$password=mysqli_real_escape_string($con,hash('sha256', $_POST['password']));

answered May 27 '14 at 18:06

fortune

3,361
1
20
30

Hash output is the same for every word

3 Answers3