1

Before: I'm sorry for my english.

Ok right now i'm using the following encrypt method:

SHA256_PassHash(inputtext, "78sdjs86d2h", MyHash, sizeof(MyHash));

SHA256 WITH SALT: "78sdjs86d2h

Right now i'm checking the password like this:

if(isset($_POST['username']) && isset($_POST['password'])){
    $username = mysql_real_escape_string($_POST['username']);
    $password = mysql_real_escape_string($_POST['password']);

    $check = get_row("SELECT playerID FROM playeraccounts WHERE playerName='$username' && playerPassword='$password'");
    if(isset($check['playerID']))
    {
        $_SESSION['username'] = $_POST['username'];
        $_SESSION['password'] = $_POST['password'];
        mysql_query("UPDATE playeraccounts SET rpgon=1 WHERE playerName='$username'");
        $id = $check['playerID'];
        header("location: index.php");
    }
    else
    {
        $err = 'Username sau parola incorecte';
    }
}

How can i make it work with this salt method ? Please i'm not very bright about PHP ... can somebody enlight me about how to encrypt the input text ?

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206
State Valentin
  • 37
  • 4
  • You should not handle username / password in your app or PHP code directly. Rather an authentication framework should have done that for you. – David Brossard Feb 29 '16 at 00:17
  • Have a look at https://github.com/PHPAuth/PHPAuth for instance – David Brossard Feb 29 '16 at 00:18
  • 3
    SHA256 is a hash function. You don't use it for encryption. – r3mainer Feb 29 '16 at 00:18
  • MySQL functions are depreciated you may wish to start MySQLi or pdo – D Jones Feb 29 '16 at 00:24
  • Yeah that is a good point too... SHA256 is a cryptographic hash function... More on this here http://security.stackexchange.com/questions/80623/hashing-vs-one-way-encryption – David Brossard Feb 29 '16 at 00:25
  • SHA*, MD5, etc are not encryption, they are cryptographic hash codes which are one-way functions, that is there is no way to un-scramble them back to the original. – zaph Feb 29 '16 at 02:56

1 Answers1

3

Don't use SHA256 (which for future reference is a hash function, not an encryption method) for storing passwords. Refer to How to safely store your users' passwords for up-to-date best practices.

Since you're asking about PHP, you want to use password_hash() and password_verify().

Also, beware of SQL injection corner cases.

Community
  • 1
  • 1
Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206