Looking to hash passwords entered from user input to mysql database

Question

I have a HTML registration form for users to register for a site that sends information from the form to a mysql database for user log in verification. I have an input box that allows the user to enter in a varchar password which will then be sent to the site, my problem is tat it is not secure as once the password is entered it sends to the database and anyone can see it. I am looking to hash a variable if possible.

 $Name = $_POST['Name'];
 $Age = $_POST['Age'];
 $Location = $_POST['Location'];
 $Goal = $_POST['Goal'];
 $User = $_POST['user'];
 $Pass = $_POST['pass'];

 $sql = "INSERT INTO Clients (Name, Age, Location, Goal, Pass, User)
VALUES ('$Name', '$Age', '$Location', '$Goal', '$Pass', '$User')";

if ($conn->query($sql) === TRUE) {
echo "Thanks for registering!! You can now attempt to log in";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}$conn->close();

HTML Form:

<form class="form-horizontal" name="form1" method="POST" 
 action="register.php">
<h3> Enter Name: </h3>
<input type="text" name ="Name"/>
<h3> Enter Age:</h3>
<input type="text" name="Age" />
<h3> Enter Location: </h3>
<input type="text" name="Location" />
<h3> Goal </h3>
<input type="text" name="Goal" />
<h3> Create Username : </h3>
<input type="text" name="user" />
<h3> Create password: </h3>
<input type ="password" name="pass" />  

<input type="submit" value="Register" />
</form>

It works fine I need to know how to hide the passwords from view in the database. Any help would be much appreciated.

Your script is at risk of [SQL Injection Attack](//stackoverflow.com/questions/60174) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](//stackoverflow.com/questions/5741187) Use [prepared parameterized statements](https://php.net/manual/en/mysqli.quickstart.prepared-statements.php). — John Conde, Apr 19 '18 at 12:01
Please do not **roll your own** password hashing scheme. PHP provides [password_hash()](http://php.net/manual/en/function.password-hash.php) and [password_verify()](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet). If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat). — John Conde, Apr 19 '18 at 12:01
***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Apr 19 '18 at 12:01
If an answer solved your problem, consider accepting the answer. Here's how http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. You'll earn points and others will be encouraged to help you. *Welcome to Stack!* — Jay Blanchard, Apr 19 '18 at 12:39
What I mean by 'hide the passwords' is that once a user creates a password on my form it goes to the database, but I can view the password in the database, meaning if my database was hacked someone could obtain all the passwords of users — Dillon Dooley, Apr 20 '18 at 16:27

score 3 · Answer 1 · answered Apr 19 '18 at 12:02

Please use PHP's built-in functions to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() compatibility pack.

$Pass = password_hash($_POST['pass'], PASSWORD_DEFAULT);

Also, make sure the database can hold the password

password text DEFAULT NULL -- set to 'text' type

The password_hash() can generate some very lengthy text (the current default is 60 characters), so making the MySQL field larger now will allow for the length needed. Secondly the PHP team is adding more algorithms to the method which means the hash can and will grow. We also do not want to limit our user's ability to use the password or passphrase of their choice. It's best to leave room for the changes.

always hate websites that force you to enter password that is x to y length with numbers, capital letters and a symbol. — A. L, Apr 19 '18 at 13:31

Looking to hash passwords entered from user input to mysql database

1 Answers1