Guys please help, in pkhp still weak. Now there is a task to write authorization, but I don’t know how to salt and so on.

<?php session_start(); // Подключаем функции include ("function.php"); // Фильтруем и создаём переменные (POST) $POST_login = filter($_POST['login']); // Прилетевший логин $POST_password = filter($_POST['password']); // Прилетевший пароль // Проверяем пришли ли данные if (!$_POST['login'] or !$_POST['password']){ echo 'Вы не ввели: <br>'; } else { ######### Д А Н Н Ы Е П Р И Л Е Т Е Л И ######### // Создаём mysql подключение // проверяем есть ли такой пользователь $mysql = mysql_query("SELECT * FROM people WHERE name = '".$POST_login."'"); // Берём логин и пасс для проверки $mass1 = mysql_fetch_array($mysql); // Берём инфу в массивах // тут проверка // Если пришедший логин равен тому который в бд, то .... if ($POST_login == $mass1['name']) { // Есть такой пользователь // Проверяем корректный ли пароль if ($POST_password == $mass1['pass']){ // Пароль совпал // тут код } if ($POST_password != $mass1['pass']){ // Пароль не совпал echo 'Пароль не правильный!'; } } else { // Если в БД нет такого пользователя echo 'Пользователь с таким именем не найден!'; } } ########### Тут что конкретно не пришло ########### // Не пришел логин if(!$POST_login) { echo 'логин <br>'; } // Не пришел пароль if(!$POST_password){ echo 'пароль'; } ?>
  • Ready solutions will not work? Ne? - Vitaly Kustov
  • In the database do not store the password, and hash. For example md5($pass) . Salt about which you ask this entry for example in this form md5($pass.'salt') . "SELECT * FROM people WHERE name = '". $ POST_login. "'" The direct path to the sql injection. Everything that goes into the sql queries should be checked and rechecked. - ReinRaus pm
  • So you need to add salt when registering a user, and here you just login it. - Deonis
  • I know that I need to store it in a hash, they just told me what to do something like this: type, take the current time in the hash, add this hash to the password you take and create a session) - Pavel Dura
  • one
    >> Guys please help, in pkhp still weak. Now there is a task to write authorization, but I don’t know how to salt and so on. Eye and eye :) - Alex Kapustin

1 answer 1

Salt is when you do not MD5 (PASSWORD), but MD5 (PASSWORD + SALT). The task of salt is to complicate the selection of a password by selecting a hash. There are dictionaries in which the relations MD5 (password) = password are registered. Naturally such a selection is very fast. In the case of a complex salt, all options need to be calculated. If the password is complex, and SHA1 is used, not MD5, then the task becomes sad and slow.

Consider more

You do not have a password hash in your database (by the way, you should NEVER store a password in an open form, this is ... unethical). but something of a kind

 $salt = substr(sha1($login), 10, 20)."\3\1\2\6"; $hashpass = sha1(sha1($pass).$salt);

It is generally accepted to write salt to the database (separately, or in the password hash field - it does not matter), but I prefer this option, because if they get the source code, they will definitely get the database, but the opposite is not a fact). By the way, the use of non-printable characters 3 1 ..., in case the enemy only gets a database, without source codes - it provides the picker with many unforgettable hours)

When checking the password by the user, repeat the same operation. If you store passwords processed in one way or the other, and authorization through HTTPS is generally quite reliably obtained.

Salt can also passwords transmitted from the browser to the server. Through javascript functions, but SSL is certainly more reliable.

  • one
    Thank you for expanding the horizon about the insertion of non-printable characters! ;) - stck
  • one
    The subtle tendency to security by obscurity :) Salt in any case complicates the attack. In your case, if you need to change the salt calculation algorithm, you will have to force all users to enter passwords again. Also, isn't it enough to do $ hashpass = sha1 ($ pass + $ salt); Why bother encrypting your password? - beardog
  • This is a paranoiac tribute. There are three options: - use hard clogged salt; - use clumsy salt generation algorithm; - store salt near the password. Usually use the latter method, but what's the point of salt, if the salt is "illuminated", in the same database. On the old Core2 1.7 GHz braking PHP gives a miscalculation of a million MD5 hashes on one stream for 5.5 seconds, just. If you take xeon on 2x4 3GHz, it will be about 0.3 seconds ... - SilverIce
  • Well, it only means that the selection of the password in the dictionary will work. By the way, I don’t think that there will be something else with SHA1. And a million when iterating is less than all options out of 3 bytes (there are 24 million). Salt next to the password saves from the selection of pre-calculated table hashes. Yes, the burglar sees the hash and near the salt. But we must also pick up such a string so that it, together with the salt, gives this hash. On the other hand, there seems to be a string matching algorithm that produces the specified MD5 in a few hours. I read, but really did not feel. I bow to the fact that this is a half-truth . - avp
  • 2
    As for me, whatever the encryption, the hacker will still get him if he needs it. If no one needs it, then even a simple 123 password will be too lazy to pick up. I keep everything in md5 (md5 ()) and this, I think, is enough. - Yoharny Babay