0

I am working on a project which may be running on a server using mySQL or MS SQL as the Database. Therefore I am using PHP PDO to connect with my database. How can I most effectively handle password storage and verification as I do not want to store them in plain text.

I have attempted using Google for PDO Login and all the articles are mySQL specific, including using mySQL functions. I have so far been unable to find anything regarding cross database support. 


   $qry = $db_conn->query("Select UserADID, EMPLID, UserActive, UserRole from tbl_Users Where UserADID= :USR_NAME and UserPass= :USR_PASS Limit 1");

I would expect to be able to pull from the DB the users's credentials (role and status) if their account is verified.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
psycoperl
  • 121
  • 1
  • 15
  • 1
    If the connection is all done with PHP, then use [`password_hash`](https://www.php.net/manual/en/function.password-hash.php) and [`password_verify`](https://www.php.net/manual/en/function.password-verify.php) – aynber Jul 25 '19 at 13:16
  • Ok good to know. From what I was reading, it seemed as if the password_hash and password_verify were mySQL specific. Did not know that they were universal. – psycoperl Jul 25 '19 at 13:21
  • @aynber a best practice question on this topic. Is is best to hash and send the password as part of the query to check it or to pull the hashed password out of the db and then verify it? – psycoperl Jul 25 '19 at 13:23
  • They are PHP commands instead of MySQL. Basically, all of the hashing will be done before it's inserted into the database. – aynber Jul 25 '19 at 13:23
  • I think with the `password_verify()` function, it's better to pull the hash out of the database and then verify it. – aynber Jul 25 '19 at 13:24
  • Even more, passwords **cannot** be safely stored with only the SQL commands because of the random salt, it has to be done in the development language (PHP). I wrote an example how it can be done in PDO in another [answer](https://stackoverflow.com/a/38422760/575765). – martinstoeckli Jul 26 '19 at 11:23
  • Possible duplicate of [Secure hash and salt for PHP passwords](https://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) – Dharman Jul 27 '19 at 13:02

1 Answers1

0

I used @aynber's suggestion of password_hash and password_verify .

If the connection is all done with PHP, then use password_hash and password_verify – aynber Jul 25

psycoperl
  • 121
  • 1
  • 15