0

i'm new to php password hashing since i'm also a beginner in php coding. I was able to make a simple login form, it requires a username and password. This password will then be saved to a database by Inserting into table using $_POST['password']. However i read that this is unsafe because its a plain text, you need to hash it.

I tried researching about password hashing in php. i found several write-ups but most of it are not clear for a beginner like me. Though i got some basic ideas but can't think on how to implement it.

Some of my questions: 1. How do I hash the password inputted by the user? 2. Once it is hashed, how do i pass it and save it to my database? 3. Is the password will then be saved as a hash (not plain text) in my database? if so, do i need to extend field length in my database to accommodate long hash passwords?

Those are some of my queries which is obviously from a beginner. I hope someone would enlighten me or show me where to start. I prefer basics so that I can comprehend.

Thank you very much!

EDIT: ok found some answers on the link provided. Thanks for tagging it as duplicate and i'm sorry for that. cheers!!

Kimsoyens
  • 35
  • 6
  • This question is much too broad. I'd recommend you start here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet – elixenide Jul 09 '15 at 01:20
  • Though that is a great article it is a little advanced – Drew Jul 09 '15 at 01:24
  • @DrewPierce I agree. Password hashing, however, is also a little advanced. It's easy to do it the right way, but easier still to do it the wrong way. – elixenide Jul 09 '15 at 03:03
  • @EdCottrell I was thinking more of an article written in crayon to cut one's teeth on it first :) – Drew Jul 09 '15 at 03:10
  • Honestly: Just use `$hash = password_hash($_POST['password'], PASSWORD_DEFAULT);` and `password_verify($_POST['password'], $hash);` – Scott Arciszewski Jul 20 '15 at 20:26

1 Answers1

-5

The most basic is $var = md5($_POST['password']), you may want to use sha but I would recommend that you use SALT :) For saving it to the database, it is also the same

"INSERT INTO 'tablename' WHERE password = '$var'"

note that md5 is easy to decrypt, this is only to show you how to hash your password.

Jim Steven
  • 115
  • 10
  • yes i read it also that md5 is easier to decrypt. some say they dont recommend md5. what should be used instead sir? – Kimsoyens Jul 09 '15 at 01:30
  • 2
    I wouldn't even mention md5 – Drew Jul 09 '15 at 01:31
  • 2
    all this is an example of, is how to do it wrong –  Jul 09 '15 at 01:38
  • To other commentators, did you even read what I've said? Let me quote it "this is only to show you how to hash your password.". SALT, but what I've said is for you to practice and see for yourself how hashing works – Jim Steven Jul 09 '15 at 01:42
  • 2
    it's still a bad hash, md5 is simply not safe, salted or not –  Jul 09 '15 at 01:56
  • 2
    md5 is NOT suitable for passwords as it has no work factor. Decryption and salts are not really a factor here. Please don't even mention it. you could've mentioned `password_hash` instead and this would've been a good answer. – Scopey Jul 09 '15 at 02:24