Encrypt the password in the database

Question

I am looking for a way to encrypt the password in the database.

I found a question similar to mine here: How do I create and store md5 passwords in mysql

But I didn't know what is the salt ? Do I need to added in my table beside user and password columns, and what data type should I give it ?

$escapedName = mysql_real_escape_string($_POST['name']); # use whatever escaping function your db requires this is very important.
$escapedPW = mysql_real_escape_string($_POST['password']);

# generate a random salt to use for this account
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));

$saltedPW =  $escapedPW . $salt;
$hashedPW = hash('sha256', $saltedPW);

$query = "insert into user (name, password, salt) values ('$escapedName', '$hashedPW', '$salt'); ";

Usually you don't store encrypted passwords, you hash passwords. — Daan, Mar 30 '15 at 11:43

score 0 · Accepted Answer · answered Mar 30 '15 at 11:57

but I didn't know what is the salt ?

The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.

do I need to added in my table beside user and password columns

Yes it should be saved in your users table. Because to check a password e.g. on log in you need encrypt typed password from a form input with the salt stored in the db for this user with the same algorithm:

$typedPW = mysql_real_escape_string($_POST['password']); // from form input
$saltedPW =  $typedPW . $salt;  // $salt from db
$typedHashedPW = hash('sha256', $saltedPW); // compare it with db "password" value

and compare this computed string with stored one in password field (from your code) in db.

what data type should I give it

it is an ordinary string

Encrypt the password in the database

1 Answers1