PHP salt generation is not showing up properly in DB?

Question

I am putting together a user register/login system for a site I'm making, and in the tutorial I am following the salt is supposed to be 32 characters long. This works when I run the script and echo out the salt onto the page as a test, but when I remove the echo command, the code either updates the mySQL DB with a blank salt, or only 1 - 2 characters at the most.

I am really new to PHP (and coding in general) so my lack of knowledge here means I am probably missing something obvious. I have followed the tutorial over and over again, still producing the same results.

Does anyone know why this could be?

Here is the code:

Hash.php

<?php
class Hash {
    public static function make($string, $salt) {
        return hash('sha256', $string . $salt);
    }

    public static function salt($length) {
        return mcrypt_create_iv($length);



    }

    public static function unique() {
        return self::make(uniqid());

    }
}

?>

register.php:

<?php 
require_once 'core/init.php';


if(Input::exists()) {
if(Token::check(Input::get('token'))) {
        $validate = new Validate();
        $validation = $validate->check($_POST, array(
                'username' => array(
                    'required' => true,
                    'min' => 2,
                    'max' => 20,
                    'unique' => 'users'
                ),
                'password' => array(
                        'required' => true,
                        'min' => 6

                    ),
                'password_again' => array(
                        'required' => true,
                        'matches' => 'password'

                    ),
                'name' => array(
                        'required' => true,
                        'min' => 2,
                        'max' => 50

                    )


            ));


            if($validation->passed()) {
                $user = new User();

                $salt = Hash::salt(32);

                try {
                    $user->create(array(
                        'username' => Input::get('username'),
                        'password' => Hash::make(Input::get('password'), $salt),
                        'salt' => $salt,
                        'name' => Input::get('name'),
                        'joined' => date('Y-m-d H:i:s'),
                        'group' => 1
                    )); 

                    Session::flash('home', 'You have been registered and can now log in.');
                    header('Location: index.php');

                } catch(Exception $e) {
                    die($e->getMessage());
                }

            } else {
                foreach($validation->errors() as $error) {
                    echo $error, '<br>';
                }
            }
}
}
?>

Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Jan 31 '17 at 22:17
***WARNING:*** Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern development framework like Laravel comes with a robust authentication system built-in. — Jay Blanchard, Jan 31 '17 at 22:17
Before I even read your question, I saw your code and see its about "*user logins*". Why are you trying to reinvent the wheel? you can use `password_hash()` and `password_verify()` as it does the salting for you in a secure way. — Xorifelse, Jan 31 '17 at 22:17
@JayBlanchard Perhaps I should store basic comments somewhere, browser plugin maybe? — Xorifelse, Jan 31 '17 at 22:19
Just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as `PBKDF2` (aka `Rfc2898DeriveBytes`), `password_hash`/`password_verify`, `Bcrypt` and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. Protecting your users is important, please use secure password methods. — zaph, Jan 31 '17 at 22:20
@Fred-ii- I could potentially write a PHP script that generates comments on a checkbox basis... but meh, I'm lazy and I found an add-on. — Xorifelse, Jan 31 '17 at 22:26
@Xorifelse let the power of arrays do the work for you ;-) and on a cron job. — Funk Forty Niner, Jan 31 '17 at 22:27
I appreciate the tips on where to improve security, I didn't choose this method of making a system, it is from following the process of the tutorial I found that I have got to this point. To use any of the processes described here, I would really know how to implement it in the code I already have. — Andrew, Jan 31 '17 at 22:29
@Andrew I am sorry. While I have the knowledge to help you I won't teach you bad table manners. Futhermore, `mcrypt` hasn't been updated in what, 10 years time? Better, simpler alternatives are available besides the fact that `mcrypt` is removed in PHP 7.2. `mcrypt` has difficulty handling string padding as well. In short, your tutorial helps you learn old methods of doing things and I suggest you try to learn from a different more recent one. Next thing you're going to tell me is that its using `mysql_connect()` no? — Xorifelse, Jan 31 '17 at 22:38
@Xorifelse Okay I can have a look for a newer PHP tutorial. Are you saying that I will have to completely re-write all of the .php files I have made, or can I just alter a few of the methods? I am trying to build it in an object orientated fashion, as this seems like the most convenient way to do it, or to make future changes. — Andrew, Jan 31 '17 at 23:22
Only a few lines of code need to change. Your `Hash` class is entirely obsolete. Feed the raw password into `password_hash()` and store that in the db. At login, verify the raw password and the one stored in the db with `password_verify()` its as easy as pie and a hell of a lot more secure. Read [@JayBlanchard](http://stackoverflow.com/questions/41968481/php-salt-generation-is-not-showing-up-properly-in-db?noredirect=1#comment71115696_41968481) comments for links. — Xorifelse, Jan 31 '17 at 23:35

PHP salt generation is not showing up properly in DB?

0 Answers0