Home/ Questions/Q 6174153
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T23:42:11+00:00

Probably a very newbie question but, Ive been reading around and have found some

  • 0

Probably a very newbie question but, Ive been reading around and have found some difficulty in understanding the creation and storage of passwords. From what i’ve read md5/hash passwords are the best ways to store them in a database. However, how would I go about creating those passwords in the first place?

So say I have a login page with user bob, and password bob123
– how will I
1. get bobs password into the database to begin with (hashed)
2. how do I retrive and confirm the hashed password?

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Edit 2017/11/09: Be sure to take a look at the answer from O Jones.

    First off MD5 isn’t the greatest hashing method you could use for this try sha256 or sha512

    That said lets use hash('sha256') instead of md5() to represent the hashing part of the process.

    When you first create a username and password you will hash the raw password with some salt (some random extra characters added to each password to make them longer/stronger).

    Might look something like this coming in from the create user form:

    $escapedName = mysql_real_escape_string($_POST['name']); # use whatever escaping function your db requires this is very important.
$escapedPW = mysql_real_escape_string($_POST['password']);

# generate a random salt to use for this account
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));

$saltedPW =  $escapedPW . $salt;

$hashedPW = hash('sha256', $saltedPW);

$query = "insert into user (name, password, salt) values ('$escapedName', '$hashedPW', '$salt'); ";

    Then on login it’ll look something like this:

    $escapedName = mysql_real_escape_string($_POST['name']);
$escapedPW = mysql_real_escape_string($_POST['password']);

$saltQuery = "select salt from user where name = '$escapedName';";
$result = mysql_query($saltQuery);
# you'll want some error handling in production code :)
# see http://php.net/manual/en/function.mysql-query.php Example #2 for the general error handling template
$row = mysql_fetch_assoc($result);
$salt = $row['salt'];

$saltedPW =  $escapedPW . $salt;

$hashedPW = hash('sha256', $saltedPW);

$query = "select * from user where name = '$escapedName' and password = '$hashedPW'; ";

# if nonzero query return then successful login
    • 0