Section C.1. Storing Passwords


C.1. Storing Passwords

You should never store cleartext passwords in a database. Instead, store the hash of the password, and use a salt for best results:

     <?php     /* $password contains the password. */     $salt = 'SHIFLETT';     $password_hash = md5($salt . md5($password . $salt));     /* Store password hash. */     ?> 

When you want to determine whether a user has provided the correct password, hash the provided password using the same technique, and compare the hashes:

     <?php     $salt = 'SHIFLETT';     $password_hash = md5($salt . md5($_POST['password'] . $salt));     /* Compare password hashes. */     ?> 

If the hashes are identical, you are reasonably assured that the passwords are also identical.

Using this technique, it is not possible to remind users what their passwords are. When a user forgets her password, you instead let her create a new one, and you store the hash of the new password in the database. Of course, you want to be very careful to identify the user correctlypassword-reminder mechanisms are frequent targets of attack and a common source of security vulnerabilities.





Essential PHP Security
Essential PHP Security
ISBN: 059600656X
EAN: 2147483647
Year: 2005
Pages: 110

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net