Got a question salting passwords in sql:
The code below salts a particular password by randomly generating a 10 character string:
Update Teacher
SET TeacherSalt = SUBSTRING(MD5(RAND()), -10),
TeacherPassword = SHA1(CONCAT('009b9b624aaecc4b3217dcd4bfee15ab704745d7',SUBSTRING(MD5(RAND()), -10)))
WHERE TeacherPassword = '009b9b624aaecc4b3217dcd4bfee15ab704745d7'
But what my question is that I want to change the salt so that the string it is generating comes from all of these characters:
./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
There are 63 characters. The php way of doing this is below:
$salt = "";
for ($i = 0; $i < 40; $i++) {
$salt .= substr(
"./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
mt_rand(0, 63),
1);
}
But how can I write this in the sql way above?
If you really want to salt randomly than it can be done only by generating the random salt with php and encrypting the password with that salt and storing both salt key and password in two fields of the table. Table must have salt field and password field. However if you just want to use mysql to do encryption than have a look in here http://dev.mysql.com/doc/refman/5.5/en//encryption-functions.html
When we validate a user’s login credentials we follow the same process, only this time we use the salt from our database instead of generating a new random one. We add the user supplied password to it, run our hashing algorithm, then compare the result with the hash stored in that user’s profile.
The links below may give you some more ideas.
How do you securely store a user's password and salt in MySQL?
Where do you store your salt strings?
How insecure is a salted SHA1 compared to a salted SHA512
Salt Generation and open source software
I hope you got the idea now.