0

I'm new in PHP. I'm doing authentication, where I'm checking password with password stored in database PostgreSQL. On db site i used this function to crypt my password: 

update ucty set psswd =  crypt('some_pswd',gen_salt('md5')) where uid='1';

In my PHP srcipt I'm using this code:

$query = "SELECT meno, priezvisko, nickname, psswd, uid 
          FROM ucty 
          where nickname='$nickname' and psswd=crypt('$password', psswd)";

Everything works fine, but I'm not sure , that this is correct way to secure my password.

Any advice?

Improve this question
1
  • 2
    You have a SQL injection vulnerability. Commented Feb 18, 2014 at 15:13

1 Answer 1

Reset to default
2

You're correct; this isn't the correct way to secure your password.

  • You're encrypting the password as part of the query. This can be logged (in plaintext), so it's very possible for intruders (or anyone listening to your traffic) to see users' passwords in plaintext.

    "How can I prevent this?" Do your hashing on the server-side, within your PHP code. You can read up on this in the PHP manual.

    Essentially, you want to have your query to set a password be something like this:

      UPDATE ucty SET psswd=$hashed WHERE uid=1;

  • You're putting variables directly into the SQL statement. You didn't mention what method you're using to query the database, but you'll want to use prepared statements. This is a safe way to slide in user-supplied data (which $nickname and $password are).

    This would be an example of a good way to use prepared statements:

      $query = "SELECT meno, priezvisko, nickname, psswd, uid"
     . " FROM ucty"
     . " WHERE nickname=? and psswd=?";

  $stmt = $dbh->prepare($query);
  $stmt->execute(array($nickname, $hashedPassword));
Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

You're assuming that the connection between the PHP and the database is (a) over a network and (b) not secure, and even if that is the case the attacker will still have to have compromised the LAN the servers are on.
@Quentin - Given the question so far, is that not a safe or reasonable assumption? And in either case the PostgreSQL log could have the plaintext log.
Actually i agree with your answer, but the verification cannot be done with such a query, because of the salt. Instead the password-hash can be retrieved with something like SELECT psswd FROM ucty WHERE nickname=? and then you can verify the result with password_verify().
@martinstoeckli Ah right, because you'd probably be storing the salt in the database as well.
@ChrisForrence - Yes, the salt is part of the resulting hash-value if you use the password_hash() function.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.