How do I use password hashing with PDO to make my code more secure? [closed]

mysql security php pdo password-hash

My code is actually working but it's not at all secure, I don't want to use MD5 as it's not all that secure. I've been looking up password hashing but I'm not sure how I would incorporate it into my code.

Login:

require_once __DIR__.'/config.php';
session_start();

$dbh = new PDO('mysql:host=' . DB_HOST . ';dbname=' . DB_USERNAME, DB_USERNAME, DB_PASSWORD);

$sql = "SELECT * FROM users WHERE username = :u AND password = :p";
$query = $dbh->prepare($sql); // prepare
$params = array(":u" => $_POST['username'], ":p" => $_POST['password']);
$query->execute($params); // execute

$results = $query->fetchAll(); // then fetch


//hash passwords pls

if (count($results) > 0 ){
$firstrow = $results[0];
$_SESSION['username'] = $firstrow['username'];
echo "Hello $username you have successfully logged in";
//header ("location:.php");
}
else{
echo "Login Has Failed";
return;
}

Register:

$dbh = new PDO('mysql:host=' . DB_HOST . ';dbname=' . DB_USERNAME, DB_USERNAME, DB_PASSWORD);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];

$stmt = $dbh->prepare("insert into users set username='".$username."', email='".$email."', password='".$password."' ");
$stmt->execute();
echo "<p>Thank you, you are registered</p>";

Could anyone show me how to incorporate it into the code I have?


Solution 1:

Just use a library. Seriously. They exist for a reason.

  • PHP 5.5+: use password_hash()
  • PHP 5.3.7+: use password-compat (a compatibility pack for above)
  • All others: use phpass

Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.

$dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

And on login:

$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}

Solution 2:

About making your code more secure:

  • You should ALWAYS validate user entries, even from a POST method which can be changed by using firebug before submitting the form. As you are inserting the user input in a query, it's much more important.

About your question in general

As I advised you in the comment, use PHPass or already made APIs which will do the job for you.

You'll hash the username, pass and salt at account creation time and insert the hash in the database.

At authentication time, you'll regenerate a hash with the given login + password input and the information you added to generate the salt.

If both generated hashes match, then the user is authenticated.

EDIT: Yes password_hash is good also.

Related

jqGrid paging question
How to wire one pane to another
When should I use MySQLi instead of MySQL?
Is it possible to send PushNotifications, using Firebase Cloud Messaging (FCM) to special UDID, directly from device?
How to convert variable with mixed date formats to one format?
Python analog of PHP's natsort function (sort a list using a "natural order" algorithm) [duplicate]
Getting ServiceStack to retain type information
The plugin generated X characters of unexpected output during activation (WordPress)
Java comparison with == of two strings is false? [duplicate]
How to convert an array of objects to object with key value pairs
Access a JavaScript variable from PHP
MySQL - Trigger for updating same table after insert