-2

This is not working:-

$query= "INSERT INTO `members`(`name`,`email`,`password`)  VALUES('".mysqli_real_escape_string($link,$_POST['name'])."','".mysqli_real_escape_string($link,$_POST['email'])."','".$_POST['password']_hash("astkhlo",PASSWORD_DEFAULT)."')";

I am using xampp. It says

Parse error: syntax error, unexpected '_hash' (T_STRING)

Alive to die - Anant
  • 70,531
  • 10
  • 51
  • 98
Davam
  • 11
  • 3
  • In `$_POST['password']_hash`, the `_hash` is incorrect syntax. – Spencer Wieczorek Sep 28 '16 at 05:31
  • Don't you mean: `password_hash($_POST['password'], PASSWORD_DEFAULT)`? What is `astkhlo` ment to be? A salt? – M. Eriksson Sep 28 '16 at 05:32
  • 2
    learn about prepared statements – Jens Sep 28 '16 at 05:32
  • instead of using directly all the POST values, convert them to variable and use in query.Easier and correct approach – Alive to die - Anant Sep 28 '16 at 05:38
  • @MagnusEriksson yes that's a salt. How to add a salt in password_hash? – Davam Sep 28 '16 at 05:48
  • @Davam . You don't need to, if you're using `password_hash()`, it takes care of that for you. Every password will have their own salts, making it more or less improbable to create a rainbow table for it. If you want to make it much more brute force safe, add a cost as a third parameter instead: `password_hash($_POST['password'], PASSWORD_DEFAULT, ['cost' => 10])`. The higher the cost, the slower hashing = less efficient to brute force. And if you still want to use a salt, I recommend reading about how to generate a proper random and secure salt. – M. Eriksson Sep 28 '16 at 05:51

3 Answers3

1

You have used the password_hash() under wrong syntax.

password_hash — Creates a password hash

password_hash() creates a new password hash using a strong one-way hashing algorithm. password_hash() is compatible with crypt(). Therefore, password hashes created by crypt() can be used with password_hash().

Replace your Insert Query with this one:

Method One:

$query= "INSERT INTO `members`(`name`,`email`,`password`)  VALUES('".mysqli_real_escape_string($link,$_POST['name'])."','".mysqli_real_escape_string($link,$_POST['email'])."','".password_hash($_POST['password'],PASSWORD_DEFAULT)."')";

Method Two:

$name = mysqli_real_escape_string($link,$_POST['name']);
$email = mysqli_real_escape_string($link,$_POST['email']);
$password =   password_hash($_POST['password'],PASSWORD_DEFAULT);
$query= "INSERT INTO `members`(`name`,`email`,`password`)  VALUES('".$name."','".$email."','".$password."')";

Both the methods will produce the same output as expected but we are escaping the strings before itself in the method two.

Example:

<?php
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT)."\n";
?>

Output:

$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a

Note: Your Script is vulnerable to SQL Injections even thought use escape the strings before insertion. Try to use prepared statements so that it avoids the SQL Injections that are possible in the Normal Query.

Naresh Kumar P
  • 4,127
  • 2
  • 16
  • 33
1

Need to do something like below (a better approach):-

$name = mysqli_real_escape_string($link,$_POST['name']);
$email = mysqli_real_escape_string($link,$_POST['email']);
$password = password_hash($_POST['password'],PASSWORD_DEFAULT);

$query= "INSERT INTO members(name,email,password)  VALUES('".$name."','".$email."','".$password."')";

Note:-

Your script is still vulnerable to SQL Injection.

Try to Learn prepared statements to prevent from SQL Injection. Thanks

Alive to die - Anant
  • 70,531
  • 10
  • 51
  • 98
  • 1
    Thanks. @Anant can you tell me how to add a salt in it? – Davam Sep 28 '16 at 05:44
  • @Davam check this :- http://stackoverflow.com/a/12870972/4248328 OR http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords – Alive to die - Anant Sep 28 '16 at 05:47
  • 1
    @Davam - I would also recommend you to read this article: https://crackstation.net/hashing-security.htm. It is lenghty, but if you actually respect your users, you really should read it all to understand what is and isn't secure and why. (Since a lot of people are reusing credentials, you are handling your users confidential information, after all). – M. Eriksson Sep 28 '16 at 06:00
  • @Anant How to query during login in case of password_hash? $query= "SELECT * FROM members WHERE email='".$email."' AND password='".$password."' LIMIT=1 "; $result= mysqli_query($link,$query); $row = mysqli_fetch_array($result); Is it ok? – Davam Sep 28 '16 at 09:23
  • yes that's seems correct. – Alive to die - Anant Sep 28 '16 at 09:25
  • @Anant Its not working. I cannot login. – Davam Sep 28 '16 at 12:13
  • check the error log files or do once `$result= mysqli_query($link,$query) or die(mysqli_error($link));` – Alive to die - Anant Sep 28 '16 at 12:16
  • @Anant this is the error. mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given – Davam Sep 28 '16 at 16:08
1

Always try to write code reader friendly, and use password_hash() for password.

password_hash() creates a new password hash using a strong one-way hashing algorithm. password_hash() is compatible with crypt(). Therefore, password hashes created by crypt() can be used with password_hash().

$name_value = mysqli_real_escape_string($link,$_POST['name']);
$email_value = mysqli_real_escape_string($link,$_POST['name']);
$password_value =password_hash($_POST['password'],PASSWORD_DEFAULT);

$query= "INSERT INTO members(name,email,password)  
VALUES('".$name_value."','".$email_value."','".$password_value."')";
Ayaz Ali Shah
  • 3,453
  • 9
  • 36
  • 68