I'm storing the salt and password hash in separate DB fields
Here's my code for updating the password hash and salt once a user logs in
Code: Select all
// LOGIN SUCCESS, RE-HASH PASSWORD AND NEW SALT
$salt = hash('sha256', uniqid( mt_rand(), true));
$pass = hash('sha256', $_POST['pass']).$salt.$pepper;
// SQL QUERY TO UPDATE STORED HASHED PASS AND SALT IN DB
$sql_query = "UPDATE `users` SET `pass`='$pass', `salt`='$salt' WHERE `user_id`='$user_id'";
$sql_result = mysql_query($sql_query);
$sql_affected_rows = mysql_affected_rows();
$sql_error_msg = mysql_error();
$sql_error_code = mysql_errno();Code: Select all
if ( hash('sha256', $_POST['pass']).$sql_data['salt'].$pepper === $sql_data['pass'].$sql_data['salt'].$pepper)Do I append the salt and pepper to the password, then hash the whole lot?
Or hash the password, then add s&p to the end of the password hash?
Sorry