0

my problem is in the login page when the user login I get this error the sha256 function is not implement in mysql. Is there something wrong with my code or is is the sha2 not supported anymore. Is there other way to hash password in mysql.

Warning: hash(): Unknown hashing algorithm: sha2

create_account.php

//create account 
 $query = "INSERT INTO mytable (username,fname,lname,country,age,gender,password)
    VALUES ('$username','$fname','$lname','$country',$age','$gender',SHA2('$password', 224))";

login.php

//check if password match 
$hased_password= hash("sha2", $password);
$hased_password= mysqli_real_escape_string($conn,$hashedPass);

  $query = mysqli_query($conn,"select * from mytable where password=  '$hased_password'  AND username='$username'");

 $rows = mysqli_num_rows($query);
if ($rows == 1) {
$_SESSION['username']=$username;  
$_SESSION['fname'] = $fname;
header("location: userPage.php");  
} else {
$error = "username or password is invalid";
}
mysqli_close($conn);
Improve this question
5
  • 1
    I would suggest using PHP's password_hash() and password_verify() to manage passwords. Commented May 20, 2016 at 18:59
  • What about using hash("sha2", $password); before inserting record and pass the hash to the insert statement? Commented May 20, 2016 at 19:00
  • Also, sha2 isn't a hashing algorithm, it's a family of algorithms. You need to pick something like sha256, sha512, etc and make sure you use the same bit length in both PHP and MySQL. Commented May 20, 2016 at 19:01
  • @RocketHazmat oh I see , sha256 and sha512 are not supported I will try your suggestion Commented May 20, 2016 at 19:14
  • Too bad my Stack Overflow account is in the penalty box. I have not been able to ask question since I had about 400 points! But, I'm glad to help where I can. The tell me if I get enough points, that I can get out of the penalty box. Commented May 20, 2016 at 19:28

1 Answer 1

Reset to default
2

I give the following answer with the best of intentions.

. . .

I would direct your attention here PHP: Password Hashing Functions

and ...

I would direct your attention here PHP Manual: PDO Prepared Statements

My advice would be to use nothing less than Blowfish for hashing your passwords. Also, you need to be conscious of timing attacks. Hence, just letting the database tell you whether or not a hashed password matches is an answer, but it is a poor answer, as failed attempts that are close can be measured in micro-seconds (especially since the Internet / network lies between the attacker and your system). The longer it takes to get the result back, the closer the attacking system knows (assumes) it is to having the correct hash.

(Remember, a string comparison goes character by character. It does not matter what the contents of the string are).

Attacks during an off peak time might yield the best results.

Use PDO prepared statements.

Use password_verify, inside the business logic layer to determine if the hashes match. Only use the database to retrieve a hash. Don't do business logic tasks at the data layer. Do not rely on a count of records. That is a short cut.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.