Hashing PHP password

Started by irfanyounas, Oct 11, 2022, 03:23 AM

Previous topic - Next topic

irfanyounasTopic starter

 I'm doing my first petproject and I'm having problems with registration, when I enter data into the field and click register, the entered data is sent to my local database on phpmyadmin, the files create_user, register and connect_user are responsible for creating accounts, create_user creates them.
I would like to make it so that when I enter the password in the "password" field in the registration, it is not just sent to the database (as I have already done), but I also want it to be hashed.


Process the password with a hashing function. Write the result to the database. Is it logical?
You need to check not only the result of connecting to the database, but also the result of executing each query.

Why choose the data of all users when registering?
You need to have a field with unique user-oriented identifiers (i.e. a numeric identifier is not suitable for this role), for instance, mail or your username, and create a unique index on it, then the DBMS will not allow creating "duplicate" records.

In MySQL, you can use INSERT IGNORE and look at the number of "affected" records (mysqli::$affected_rows). This amount can be returned in a special function, primarily intended for INSERT, UPDATE, etc. queries, and the error can be "returned" using an exception. That's usually how they do it.


hashing via md5 is an irreversible process and a hаcker who has access to the hash will not be able to get a password from this hash.
In fact, this statement is not entirely true - currently, evil hаckers have compiled libraries of hashes of popular and not-so-popular passwords and any fool can unravel the password by simply googling its hash.

We are talking about fairly simple, popular passwords.
Google, for example, the hash 827ccb0eea8a706c4c34a16891f84e7b and immediately in the Google search you will see that this is the password '12345'.

Hashes of sufficiently complex passwords cannot be solved in this way (try it).
You may ask what the problem is then - let's all register with complex passwords. There is, however, a problem - most users do not think about the security of their data and can enter fairly simple passwords.

We can force you to come up with longer passwords when registering, limiting, for example, the minimum number of characters to 6 or 8, however, passwords like '123456' or '12345678' will still appear.

You can, of course, come up with a smarter algorithm for checking the password for complexity, but there is another solution.
The essence of this solution is this: passwords need to be salted.
Salt is a special random string that will be added to the password during registration and the hash will already be calculated not from a simple password type, but from the string salt + password, that is, from a salted password.