php - Salts: Hashed or plain text? -


i want store (random) salt next password in database. now, question is:

should store hashed or in plain text? there difference (more security, faster?)? how effort should put in creating random string?

sample code:

    //creating random salt     $saltchars = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789!#$%&()*+,-./:;<=>?@[]^_`{|}~";      $salt = uniqid(rand(), true).str_shuffle($saltchars);     // or should salt hashed (md5 or sha512 more security)     // $salt = hash('sha512', uniqid(rand(), true).$staticsalt.str_shuffle($saltchars));     //create user (with salt & pepper) $sqlquery = "insert users (user, password, salt) values('$id','".hash('sha512', $staticsalt.$accesskey.$salt)."','".$salt."');";      $sqlresult = mysql_query($sqlquery);

for record: login-script

    $sqlquery = "select salt users user='$id';";      $sqlresult = mysql_query($sqlquery);       if (mysql_num_rows($sqlresult) == 1) {       $salt = (mysql_fetch_array($sqlresult));  //check if password correct     $sqlquery = "select * users user='$id' , password='".hash('sha512', $staticsalt.$accesskey.$salt[0])."'";     $sqlresult = mysql_query($sqlquery);     unset($accesskey, $salt);      //check whether query successful or not     if($sqlresult) {     if(mysql_num_rows($sqlresult) == 1)          {echo 'login successfull';}         else {die('error: wrong user id/password');}     }    }

i know there many, many, websites out there discussing pros & cons of salt. nobody answers if salt should encrypt or not - , nobody shows how code login script random (!) salts (saved in database did).

so php beginner have no idea if code secure or not? or if there tricks make faster or more streamlined... thanks!

since need salt compute password hash in login script, can't store hash of salt irreversible operation, i.e. original salt lost.

so i'm presuming you're asking whether hashing original salt obtained picking random string yields better salt. in case use of hashing function has nothing 'hashing', way generate longer, seemingly more random sequence. makes absolutely no sense, however, hashed salt still need stored in database - in plaintext if will!


Comments

Post a Comment

Popular posts from this blog

c# - SharpSVN - How to get the previous revision? -

i trying find efficient way previous revision of file text comparison using sharpsvn. using (svnclient c = new svnclient()) { c.authentication.defaultcredentials = new networkcredential( configurationmanager.appsettings.get("svnserviceusername") , configurationmanager.appsettings.get("svnservicepassword") , configurationmanager.appsettings.get("svnservicedomain") ); c.authentication.sslservertrusthandlers += new eventhandler<svnsslservertrusteventargs>(authentication_sslservertrusthandlers); collection<svnfileversioneventargs> fileversioncollection = new collection<svnfileversioneventargs>(); svnrevisionrange range = new svnrevisionrange(0, this.hooks.revision); svnfileversionsargs args = new svnfileversionsargs(); args.retrieveproperties = true; args.range = range; foreach (svnchangeitem item in log.changedpaths) { string path = this.repositorypath + it...
Read more

c++ - Is it possible to compile a VST on linux? -

for class project i'm attempting write vst plugin backed cuda. current cuda workflow on linux box, i'd prefer compile , link there. according wikipedia , should possible (i couldn't find steinberg documentation relevant linux) can't find makefile or instructions on how build if aren't using xcode or visual studio. i'm vst 3 sdk doesn't support linux. when try compile plugin under linux, error: ./base/source/fatomic.cpp:39:30: fatal error: libkern/osatomic.h: no such file or directory this issue caused following code in "vst3 sdk/base/source/fatomic.cpp" #if mac #include <libkern/osatomic.h> #if mac_os_x_version_min_required > mac_os_x_version_10_4 #define native_atomic_type (volatile int32_t*) #else #define native_atomic_type (int32_t*) #endif #elif windows #include <windows.h> #endif but hope compiling under linux work vst sdk 2.4. reading. jvstwrapper seems run on lin...
Read more

url - Querystring manipulation of email Address in PHP -

i using third party application (email2http) send me emailid, body , message. unable retrieve email id due name appended on , enclosed < , >. here querystring getting. test.php?from=ajay+reddy &subject=cx&body=somebody when print variable in php returns name , not email id. $from = $_get['from']; echo $from; //output ajay reddy please suggest me how can emailid also. i dont want use post method due testing , debugging. it's working fine. forgot use htmlentities() in debugging.
Read more