|
|
| Line 13: |
Line 13: |
| SSL connection. Hash and salt. Php [https://www.php.net/manual/en/ref.password.php password hashing functions] and mainly <syntaxhighlight inline>password_hash</syntaxhighlight> with <syntaxhighlight inline>password_verify</syntaxhighlight>. | | SSL connection. Hash and salt. Php [https://www.php.net/manual/en/ref.password.php password hashing functions] and mainly <syntaxhighlight inline>password_hash</syntaxhighlight> with <syntaxhighlight inline>password_verify</syntaxhighlight>. |
|
| |
|
| Check on the database if a username is used. If it is, fetch the password hash and compare that against the user inputted hash, <syntaxhigh | | Check the database if the username is exists. If it is, fetch the password hash and compare that against the user inputted hash. |
| | |
| Fetch password hash from the database where the username = the inputted username.
| |
| If rows are found, then there's a user
| |
| Now you compare the inputted password against the hash stored in the database.
| |
| | |
| | |
| Php's [https://www.php.net/manual/en/function.hash.php hash function] includes multiple algorithms, and ''the well known hash functions MD5 and SHA1 should be avoided in new applications. . . It is rather safe to assume that the SHA2 family with its most prominent members SHA-256 und SHA-512, is better than SHA1. . . it is a good idea to prefix a salt to the password before hashing, to avoid the same passwords to hash to the same values and to avoid the use of rainbow tables for password recovery.''
| |
| | |
| ''the salt should be random string with at least as many variable bits, as there are bits in the hash result. In the user database, store username, the randomly generated salt for that user, and the result of hashing the salt-password-string. Access authentication is then done by looking up the entry for the user, calculating the hash of the salt found in the database and the password provided by the user, and comparing the result with the one stored in the database.''
| |
| | |
| https://makitweb.com/login-page-with-remember-me-using-pdo-and-php/
| |
Revision as of 20:29, 18 September 2021
Introduction
Some of my database stuff is shown.
Establishing connection to the server
Store the password into a secure place, thus outside the the www folder. Php can access that.
Log a user
SSL connection. Hash and salt. Php password hashing functions and mainly password_hash with password_verify.
Check the database if the username is exists. If it is, fetch the password hash and compare that against the user inputted hash.
