PHP security sha2: &$salt = null??

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
lauthiamkok
Forum Contributor
Posts: 153
Joined: Wed Apr 01, 2009 2:23 pm
Location: Plymouth, United Kingdom

PHP security sha2: &$salt = null??

Post by lauthiamkok »

Hi,

I am now creating a sha2 login form after researching and asking for help around online, I find the example code from this link below is quite useful and practical (I hope I am right!??), the only thing I don't understand is the way this programmer wrote the function and getting the salt value from the function.

http://hungred.com/useful-information/p ... -password/

Code: Select all

define('SALT_LENGTH', 15);
    
    function HashMe($phrase, &$salt = null)
    {
    	$pepper = '!@#$%^&*()_+=-{}][;";/?<>.,';
    	
        if ($salt == '')
        {
            $salt = substr(hash('sha512',uniqid(rand(), true).$pepper.microtime()), 0, SALT_LENGTH);
        }
        else
        {
            $salt = substr($salt, 0, SALT_LENGTH);
        }
    
        return hash('sha512',$salt . $pepper .  $phrase);
    }
what is the difference if I change the function to this?

Code: Select all

function HashMe($phrase, $salt) {..}
of course this function will fail, what is it for to have a '&' before $salt? is it necessary to have 'null' like this &$salt = null? what if I put '&$salt'?

and then, to get the salt value, you just can get it straight and put it the sql query like below,

Code: Select all

 $username = cleanMe($_POST('username'));
    $password = cleanMe($_POST('password'));
    $salt = '';
    $hashed_password = HashMe($password, $salt);
    $sqlquery = 'INSERT INTO  `usertable` ("username", "password", "salt") VALUES  ("'.$username.'", "'.$hashed_password .'", "'.$salt.'") WHERE 1';
    ..

how can I get the salt value from the function like this below before preparing the sql query,

Code: Select all

 $salt = "'".salt."'";
    $username = "'".$username."'";
    $hashed_password = "'".$hashed_password."'";
then,

Code: Select all

$sqlquery = 'INSERT INTO  `usertable` ("username", "password", "salt") VALUES  ($username, $hashed_password, $salt) WHERE 1';
the reason I dont like/ want to have this - "'" in my sql query is that I have null value sometimes like $firstname = 'NULL'; and I want the row to 'tick' the empty field as null if the firstname is empty/ null.

besides, having "'" in my sql query, making me dizzy and difficult to debug when things gone wrong...

sorry, I have lots of questions in this thread!

thanks.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: PHP security sha2: &$salt = null??

Post by requinix »

Passing [variables] by Reference
Default argument values

What were the other questions? I only saw two question marks in your post.
lauthiamkok
Forum Contributor
Posts: 153
Joined: Wed Apr 01, 2009 2:23 pm
Location: Plymouth, United Kingdom

Re: PHP security sha2: &$salt = null??

Post by lauthiamkok »

thanks for this links! :D
tasairis wrote:
What were the other questions? I only saw two question marks in your post.
sorry for my bad English! :oops:

how can I get the salt value from the function like this below before preparing the sql query?

Code: Select all

 $salt = "'".salt."'";
    $username = "'".$username."'";
    $hashed_password = "'".$hashed_password."'";
then,

Code: Select all

$sqlquery = 'INSERT INTO  usertable (username, password, salt) VALUES  ($username, $hashed_password, $salt) WHERE 1';
if I do this, the salt column in my database will always get this word - salt. but not the value generated from the function.

if compare it with the original,

Code: Select all

$sqlquery = 'INSERT INTO  `usertable` ("username", "password", "salt") VALUES  ("'.$username.'", "'.$hashed_password .'", "'.$salt.'") WHERE 1'; 
having "'" (double quote or single quote) in my sql query, making me dizzy and difficult to debug when things gone wrong

thanks :)
lauthiamkok
Forum Contributor
Posts: 153
Joined: Wed Apr 01, 2009 2:23 pm
Location: Plymouth, United Kingdom

Re: PHP security sha2: &$salt = null??

Post by lauthiamkok »

I found out what was wrong -

Code: Select all

$salt = "'".salt."'";
:banghead:

should be -

Code: Select all

$salt = "'".$salt."'";
lol

thanks! :D
Post Reply