Section C.1. Storing Passwords

Previous page
Table of content
Next page

C.1. Storing Passwords

You should never store cleartext passwords in a database. Instead, store the hash of the password, and use a salt for best results:

     <?php     /* $password contains the password. */     $salt = 'SHIFLETT';     $password_hash = md5($salt . md5($password . $salt));     /* Store password hash. */     ?>

When you want to determine whether a user has provided the correct password, hash the provided password using the same technique, and compare the hashes:

     <?php     $salt = 'SHIFLETT';     $password_hash = md5($salt . md5($_POST['password'] . $salt));     /* Compare password hashes. */     ?>

If the hashes are identical, you are reasonably assured that the passwords are also identical.

Using this technique, it is not possible to remind users what their passwords are. When a user forgets her password, you instead let her create a new one, and you store the hash of the new password in the database. Of course, you want to be very careful to identify the user correctlypassword-reminder mechanisms are frequent targets of attack and a common source of security vulnerabilities.




Previous page
Table of content
Next page
Essential PHP Security
Essential PHP Security
ISBN: 059600656X
EAN: 2147483647
Year: 2005
Pages: 110
Authors: Chris Shiflett
BUY ON AMAZON
Documenting Software Architectures: Views and Beyond
Network Security Architectures
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Ruby Cookbook (Cookbooks (OReilly))
MPLS Configuration on Cisco IOS Software
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy