Home
Home Page
XML on the screen of a browser
Interaction with life cycle of page
How to overtake competitors and at once to do{make} liderskie pages
Adjustment of parameters PHP in php.ini
KHehshirovanie passwords in PHP
Total Automation of Reception of payments on a site
Object-oriented programming, classes in PHP
Abstract classes and interfaces
The module of definition of a geographical position on IP - mod_GeoIP
Conclusion of messages to the user in webs - applications.
Manipulation date on PHP
The truth about Sessions
Realization of patterns on PHP.
Protection against a spam on a site
Imitation of files and directories
Door in protection: the post web - interface
Safety of search engines in the corporate environment
CHPU and PHP (revisited)
Links
 
topic
 

KHehshirovanie passwords in PHP

In this clause{article} we shall consider process khehshirovanija passwords, not too complex , but poorly widespread process in web-programming. Storage of passwords of users in an open kind in a database - not too good approach, is especial if to this base can get access any Internet user. KHehshirovanie not the panacea, but can considerably reduce damage in case of theft of the data. What is the khehsh-function? It is the function possessing an infinite range of definition, but final area of value and one interesting feature: even at little change of entrance value value of function varies considerably. The basic purpose  of khehsh-functions in cryptography is a generation of keys on the basis of short and remembered passwords (poorly to remember 16 hexadecimal categories?).


In our example we shall consider{examine} the most widespread language - php, as an example - algorithm secure hashing algorithm 1 (sha-1). Algorithm insufficiently strong and instead of him  already recommend to use more proof, sha-256 and sha-512, however for our provisional job he will approach also.


Let's pass directly to business. Job of the user begins with preservation of the password. Therefore we shall see as we can save khehsh the password of the user:



<? php

$passwordhash = sha1 ($ _post [' password ']);

$sql = ' insert into user (username, passwordhash) values (??) ';

$result = $db-> query ($sql, array ($ _post [' username '], $passwordhash));

?>


Next time we should check up, whether correctly the user has entered the password? We shall make it so:



<? php

$passwordhash = sha1 ($ _post [' password ']);

$sql = ' select username from user where username =? and passwordhash =? ';

$result = $db-> query ($sql, array ($ _post [' username '], $passwordhash));

if ($result-> numrows () <1)

{echo ' sorry, your username or password was incorrect! ';}

else

{printf (' welcome back %s! ', $ _post [' username ']);}

?>


In php we can generate khehshi with the help md5 or sha1, in the first case we receive 128-bit value (32 symbols), in the second 160-bit (40 symbols).


For example in case of job of such script:



<? php

$string = ' php and information security ';

printf (" original string: %sn ", $string);

printf (" md5 hash: %sn ", md5 ($string));

printf (" sha-1 hash: %sn ", sha1 ($string));

?>


We can receive about the following:



original string: php and information security

md5 hash: 88dd8f282721af2c704e238e7f338c41

sha-1 hash: b47210605096b9aa0129f88695e229ce309dd362


In mysql we can generate khehshi internal functions password (), md5 () or sha1, the first is used in the built - in mechanism autentifikacii the server of databases. However to use it  it is not recommended, as up to version 4.1 he was very much we wound.


It is natural, that functions work equally, therefore it is possible to check / save khehshi not means php, and means itself mysql:



<? php

$sql = ' insert into user (username, passwordhash) values (?, sha1 (?)) ';

$result = $db-> query ($sql, array ($ _post [' username '], $ _post [' password ']));

?>


How it is possible to improve algorithm? The answer is obvious - before khehshirovanie we create a casual line certain{determined} are long, salt, and is attached her  to the password. It we kill at once two hares - identical passwords will not be visible to a hacker and we shall improve stability{resistance} to pereboru at the expense of increase are long. Naturally, salt is necessary to store{keep} in base, however this smallest evil, some superfluous symbols in base of a problem will not decide.



<? php

define (' salt_length ', 9);

function generatehash ($plaintext, $salt = null)

{

if ($salt === null)

{

$salt = substr (md5 (uniqid (rand (), true)), 0, salt_length);

}

else

{

$salt = substr ($salt, 0, salt_length);

}

return $salt. sha1 ($salt. $plaintext);

}

?>


In this case we generate khehsh using the text password and casual salt. Thus we write down in base modified khehsh. At check of reliability of the password we operate on the contrary: we receive from base salt and we connect her  to the password, then we compare with stored{kept} in a DB khehshem.



Total


We have seen as simply to realize protection. However above mentioned examples can be considered{examined} only as an index point for your own php development. Program in pleasure!