Using md5 (old way):
$sql = "SELECT * FROM 'table' WHERE `username`='bob' AND `password`='123456'";
** check the password before getting data out of the database.
Using password_hash and password_verify (new way):
$sql = "SELECT `password` FROM 'table' WHERE `username`='bob'";
$bool = password_verify('password_from_post_method', 'password_from_database');
if($bool) {echo "your password is right";}
** the data was got from database first, and then check the password out of the database.
*** I think the old way is better. Get the data out of database when I confirm the password is right. Maybe, I use password_hash and password_verify in the wrong way. Please give suggestion if you have any idea. Thanks.
You persist [hashed(password) + randomSalt]
in the password column of your database. Can you write the SQL as
you have mentioned in the approach 1, during verification ? You can not, because random generated salt is also persisted along with the password. That is why your 'new way' is
the way to go.
Related
I want to get the transaction ID of the current running transaction.
Here is my code:
$con = $entityManager->getConnection();
$con->beginTransaction();
$entity = new Entity(); .....
$entityManager->persist($entity);
$entityManager->flush();
$con->commit();
I can't find any method to get the ID... Only running native SQL can solve this, but I don't think this is proper
I'm assuming you're using the default settings of Doctrine, so it will use PHP PDO underneath. It looks that PDO does not have ability to resolve transaction ID - maybe because it's different for each DBMS, so it's not ANSI SQL.
Take a look on PDO::beginTransaction() documentation, it returns just boolean. Also, there is no other function to retrieve ID.
You have to execute raw SQL which may be not that bad. I know that many people thinks that ORM/DBAL will allow to change DB engine in future, but - from my experience, YMMV - I always used some engine-specific behaviours. Even running SQLite for testing instead of MySQL failed at some point because of small differences about handling nulls and default values.
To fetch transation ID in PostgreSQL:
$con = $entityManager->getConnection();
$query = $con->executeQuery('SELECT txid_current()');
$transactionId = $query->fetchOne();
I have a password that has been stored and I'd like to figure out how it's been 'transformed' to be stored in my database.
The plaintext password is:
k4oK203$
And the password as it is stored 'crypted' in my database is:
6xqmRr0QNUrc0uvwGchWqA==
How would I go about figuring out what transformation (base64? sha1? md5? etc.) that were used in order to get the plain text password in to the database value?
In my node.js application I should be able to create some new users.
And to store the passwords in a secure fashion, I use the sodium-native library to generate argon2 hashes (https://github.com/sodium-friends/sodium-native). Now I try to store a string representation of those hashes in my postgres database.
The JavaScript query string looks like this:
INSERT INTO users (email, name, password) VALUES ('${email}', '${name}', '${pwHash}')
And the generated sql statement looks as follows:
INSERT INTO users (email, name, password)
VALUES ('test#test.org', 'test', '$argon2id$v=19$m=8,t=1,p=1$WAw+HmO/+RZTazVr3eOnPg$HYzaB0+Cre23XGR+A1cZawrUvkon2Cx3x7ua5I68xGo ')
Besides the hash, there is some further information stored about it to help verify passwords.
I don't know why it produces all those white-spaces, but I think it is due to the fixed length of the buffer used.
My problem is that postgres, for some reason, sends me an error: invalid message format, code: '08P01'Now, that code means protocol violation, whatever that means.
The funny thing is: when I just hard code the hash as it appears in my browser or console, then it works:
INSERT INTO users (email, name, password)
VALUES ('${email}', '${name}', '$argon2id$v=19$m=8,t=1,p=1$WAw+HmO/+RZTazVr3eOnPg$HYzaB0+Cre23XGR+A1cZawrUvkon2Cx3x7ua5I68xGo ')
It doesn't seem to make a difference, if I remove the white-spaces or not.
Can anybody tell me what I am doing wrong?
Edit: I was asked if those "blanks" really are white-spaces. At least I think so, because they appear as ones in the editor and browser and copy as ones as well. I tried to manually remove them and it didn't make any difference.
I also tried to use string concatenation instead of interpolation, but it also didn't make any difference.
Instead of converting the buffer to a string first, I now store the hash as raw binary data (data-type bytea) as it is generated by sodium-native. That also makes password verification trivial. Please do follow mu is too short's advise about SQL injection.
I want to get a user_id from a table by searching for a hashed password using mysqli prepare statement.
I know how a prepared statement works eg
$query = "SELECT `colour` FROM `pallet`";
$query.=" Where `colour`=? "
$stmt = $db->prepare($query);
$stmt->bind_param('s',$colour="blue");
$stmt->execute();
$stmt->bind_result($colour);
while($stmt->fetch())
snip
So I have no problem with prepared statements but the problem is this to match my hashed password, I have to take the entered password
$input_password = crypt($password,$database_pass);
and hash it before I match. So I thought I would try something like this
$query = "SELECT `password` FROM `log`";
$query.=" Where `password`=? "
$stmt = $db->prepare($query);
$stmt->bind_param('s',crypt($password,$database_pass));
$stmt->execute();
$stmt->bind_result($colour);
Obviously this doesn't work, as I need to get $database_pass from the database before I bind it. I am trying to do it all in one go.
Before this I wasn't using a prepared table, and I was just getting the passwords and checking them afterwards in a loop, but I am hoping to improve this by doing it all in one go if possible.
I always solve something one way, and then later try to improve it, but I am having difficulty with this one.
Ok I have managed to do it a different way, but the problem with my new code is that it has to read the whole table before it can compare. I would rather do it with a where clause because then it only gets the data it needs.
Global $db;
$query = "SELECT `temp_pass`,`user_id` FROM `".$database."`.`logon`";
$stmt = $db->prepare($query);
$stmt->execute();
$stmt->bind_result($temp_pass,$user_id);
while ($stmt->fetch()) {
$input_password = crypt($password,$temp_pass);
if($input_password == $temp_pass):
return $user_id;
break;
endif;
}
One cannot search for properly salted passwords in a database, the problem is just what you discribed: to calculate a comparable password hash, you would need to get the salt first, which you can't because you cannot find the hash.
This applies to password hashes, it is another thing if you have strong tokens for password resets though. If the tokens are strong enough, you can store an unsalted hash (e.g. SHA-256), and those you can find in your database.
I have 3 queries regarding this.
I have a new Opencart site and 500+ customers to add. I've found a couple of import customer extensions, but support appears to have gone AWOL and there doesn't seem to be a working version for 1.5.5.1 so I'm looking at importing into mysql with xls files.
My queries are as follows:
Query 1:There seems to be 2 tables I need to upload: (a) Address; and (b) Customer. Are these the only tables that need changing?
Query 2:
I see the passwords are MD5 encrypted. I have passwords for all 500+ customers already - do I have to convert these passwords into MD5, or can I use un-encrypted passwords and the db do the encryption for me?
Query 3:
What do I do about the Salt field in the Customer table? Can I leave this blank?
3 x MTIA !
Query 1 : these should be enough (there are other tables like customer_ip etc but that should not cause any problem
Query 2 : database will not encrypt passwords for you
Query 3 : no you can't leave salt empty (unless you edit the password checking code, which is obviously not recommended)
so what you should do ?
for each customer first generate salt like this
$salt = substr(md5(uniqid(rand(), true)), 0, 9)
then encrypt password like this :
$password = sha1($salt . sha1($salt . sha1($password)))
then save these variables in database.
you can have look at system/library/customer.php and catalog/model/account/customer.php , to get an idea how things works