0

How can I add a salt to my current hash password when a user registers. And how should I store to my password in My MySQL database?

Here is my PHP code so far.

if ($_POST['password1'] == $_POST['password2']) {
    $sha512 = hash('sha512', $_POST['password1']);
    $password = mysqli_real_escape_string($mysqli, $purifier->purify(strip_tags($sha512)));
} else {
    $password = NULL;
}
Improve this question
3
  • Can you elaborate on the "how to store" part? Do you mean how to insert it into the database, or what database schema you need? Commented Sep 29, 2010 at 1:35
  • I was wondering if there was any special way needed to insert it into the MySQL database? Commented Sep 29, 2010 at 1:38
  • It's just a string, handle it like any other text. Commented Sep 29, 2010 at 1:48

4 Answers 4

Reset to default
2 
$salt = 'my-secret-salt-92h3nc29378ry293';

...

$sha512 = hash('sha512', $salt . $_POST['password1']);
$password = mysqli_real_escape_string($mysqli, $sha512);

To salt a password you simply concatenate it with another string (the salt) before hashing it. You also don't need to purify and exorcize the hashed password like you did, a hash won't contain anything bad.

You can use one salt for all passwords, which you should store somewhere centrally in your app. Alternatively, create a random salt for each password and save it alongside the hashed password in the database.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0 
if ($_POST['password1'] == $_POST['password2']) {
    $sha512 = hash('sha512', $_POST['password1']."salt"); //<--------------------
    $password = mysqli_real_escape_string($mysqli, $purifier->purify(strip_tags($sha512)));
} else {
    $password = NULL;
}
// vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
$user = $_POST['user'];
$db = mysql_connect('host', 'user', 'password');
mysql_select_db('database', $db);
mysql_query("UPDATES user_table SET pass=$password WHERE user=$user");
mysql_close($db);
Improve this answer

1 Comment

@snag A "salt" just refers to anything that is added before or after the password prior to being hashed, giving it a different hashed string. In this case I used the string "salt" for my salt. You can use anything you want, but make sure it's a salt that you can use again when comparing the password or you'll never be able to log in! (setting a constant salt is usually recommended. Some people use the username or other parameters as a salt)
0

You can use algortithms like:

sha512($password.$salt) or sha512(sha512($password.$salt) It's up to you how the salt is generated, as long as its being stored alongside with the password hash in the database.

Improve this answer

Comments

0

I like to store the salt with the password hash in the database and compute it like this:

$salt = "Su0";
$password = "mypassword0111";
$hash = md5(md5($password) . $salt);

Then when you login a user:

$sql = "SELECT * FROM user_table WHERE username = '...
//do db lookup
$hash = md5(md5($password_from_user_login) . $salt_from_db);
if($hash = $hash_from_db) {
  $userloggedin = true;
}

Or something like that

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.