Password hash with postgres

Navigation
2

Today I am facing a new challenge, implement security password with the PASSWORD HASH encryption method, I am working with postgress and php, but browsing the network I find information from md5, which, to this day , it is not safe anymore, and for password hash I found a very good video , however it is implemented with MySql and the Actually I'm just getting into programming and I do not know how to make it functional for postgres.

If anyone knows how to achieve it or knows another way to implement this method for postgres, I would appreciate it very much.

It is worth mentioning that I am currently working with md5

HTML code 

<?php
include_once "includes/valid/validUser.php";
include_once "includes/bdConection.php";
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <head>
    <title>Login</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta charset="UTF-8">

  </head>
  <body>

    <div id="content">
      <div class="testbox">
        <h1>Inicio de sesi&oacute;n</h1><hr/>
        <form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post" href="#" >
          <label id="icon" for="name"><i class="icon-user"></i></label>
          <input type="number" class="inputLogin" name="userNameLogin" placeholder="Código de Usuario" required />
          <label id="icon" for="name"><i class="icon-shield"></i></label>
          <input type="password" class="inputLogin" name="passwordLogin" value=""  placeholder="Contraseña" required/>
          <input type="submit" class= "btn btn-info  btn-responsive btninter center" id="button" name="submit" value="Ingresar"/>     
        </form> 
      </div>
    </div>
  </body>
</html>

validUser.php code 

<?php
include_once "includes/bdConection.php";

if(isset($_POST['submit'])){

        $userName=trim($_POST["userNameLogin"]);
        $password=trim($_POST["passwordLogin"]);
            $password=md5($password);
        $query = "SELECT * FROM users WHERE id_user = '$userName' AND pw = '$password';";
        $result = pg_query($conn, $query) or die('Query failed: ' . pg_last_error());
        if(pg_num_rows($result) != 1) {
          //do error stuff
          $error = "<b> Usuario o contraseña incorrectos</b>";

        }
        else 
        {

              session_start();
              $_SESSION['varname'] = $userName;
              $_SESSION['start'] = time();
              $_SESSION['expire'] = $_SESSION['start'] + (60 * 60);
              echo "Welcome " . $userName;
              header("Location: ../index.php");
              exit;
        }

    }


    echo "<p> $error </p>";
?>
    
asked by IndiraRivas 21.03.2018 в 18:29
source

2 answers

2

I told you a series of things, first:

  • you will have to use password_hash () to make the password hasheada, that is, a combination of letters and numbers as well as characters
  • The result is a string of 60 characters so you must verify your varchar field if you accept that amount
  • the password_hash () method is from PHP not from the database manager, and is available from version 5.5.0 of the same

    • This is an example 

    /*PASSWORD_BCRYPT generará un hash de 60 caracteres, por lo tanto también debes de verificar la longitud de tu campo VARCHAR que es el necesario para poder almacenar dicho valor*/
$valorHash = password_hash("AlfredoPaz", PASSWORD_BCRYPT);
echo $valorHash;

/*El valor obtenido de la operación anterior es:*/
$valorHash = '$2y$10$DicZpj8Jepva9ajp.4w8cu8i1XDP1q4pRppEZWSB1MvAhc40tsPIm';

/*ahora con la función password_verify checamos si el hash que esta almacenado coincide con lo que manda el usuario*/

if(password_verify('AlfredoPaz', $valorHash)) {
    return "Datos coincidentes";
} else {
    return "Datos no coincidentes";
}

    Already in a more synthesized way it could be like this: 

    $valorHash = password_hash("AlfredoPaz", PASSWORD_BCRYPT);
if(password_verify('AlfredoPaz', $valorHash)) {
    echo "Datos coincidentes";
} else {
    echo "Datos no coincidentes";
}
      

    I'm going to return matching data but if I add a space between   Alfredo y Paz will return unmatched data

        
    answered by 21.03.2018 в 18:57
    0

    The encryption method is PHP, not the database

    Hash example 

    echo hash('ripemd160', 'The quick brown fox jumped over the lazy dog.');

    The result would be 

    ec457d0a974c48d5685a7efa03d137dc8bbde7e3
        
    answered by 21.03.2018 в 18:36
    Prevent Chrome autocomplete form, does not work autocomplete="off" in input NotifyIcon goes crazy. VB.NET