How do I insert a hash password into the database?

Question

How will I be able to insert the hashed password into the database instead of cleartext?

(I have tried replacing the '?' with 'SHA2('?',256')').

Do include some explanation also, thanks!

$query= $con->prepare("INSERT INTO `useracct` (`email`, `password`, `name`) VALUES (?,?)");
$email = $_POST["email"];
$psswd = $_POST["passd"];
$name = $_POST["name"];

$query->bind_param('bb', $email, $psswd, $name);
if ($query->execute()) {
  echo "Query executed.";
}else{
  echo "Query error.";
}

Answer 1

You may try:

$query= $con->prepare("INSERT INTO `useracct` (`email`, `password`, `name`) VALUES (?,?,?)");
$email = $_POST["email"];
$psswd = PASSWORD_HASH($_POST["passd"], PASSWORD_DEFAULT);
$name = $_POST["name"];

$query->bind_param('bbb', $email, $psswd, $name);
if ($query->execute()) {
  echo "Query executed.";
} else{
  echo "Query error.";
}

I have used PHP's PASSWORD_HASH function to hash the password and this function is supported in PHP 5.5 and later. More info here: http://php.net/manual/en/ref.password.php

Another way of hashing the password is crypt() function of PHP which is supported since PHP 4. More info can be found here: http://php.net/manual/en/function.crypt.php

Answer 2

Replace below

$query->bind_param('bb', $email, $psswd, $name);

to

$query->bind_param('bbb', $email, $psswd, $name);

Since you are using three variables, you should use three datatypes also.

Answer 3

$query= $con->prepare("INSERT INTO `useracct` (`email`, `password`, `name`) VALUES (?,?,?)"); //missing one parameter here
$email = $_POST["email"];
$psswd = $_POST["passd"]; 
$hash = password_hash($password, PASSWORD_DEFAULT); 
$name = $_POST["name"];
$query->execute([$email, $hash, $name]);

Answer 4

Use PASSWORD_HASH for hasing

$query= $con->prepare("INSERT INTO `useracct` (`email`, `password`, `name`) VALUES (?,?,?)");
$email = $_POST["email"];
$psswd = $_POST["passd"];
$name = $_POST["name"];

$query->bind_param('bbb', $email, PASSWORD_HASH($psswd, PASSWORD_DEFAULT), $name);
if ($query->execute()) {
  echo "Query executed.";
}else{
  echo "Query error.";
}

For verification use

// See the password_hash() example to see where this came from.
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';

if (password_verify('rasmuslerdorf', $hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}

Answer 5

$psswd = $_POST["passd"];
$psswd1 =password_hash("passwd");

use like this and in query use $psswd1 instead of $psswd

Answer 6

There are multiple answers on this, but I feel they cover the how , but not why . I will try to leave out details about database handlers or encryption functions, as they change over time.

The main point that the other answers demonstrate is that you want to create the hash in PHP, not in MySQL. The reason for this being if you create hash in MySQL, then PHP needs to send clear text password to MySQL, and this is just another vector that could be exploited by an attacker.

Then you save password as any other string. There are multiple ways to hash a password, and usually you would want to store hashed password and a salt.

For example:

$salt = bin2hex(random_bytes(16));
$passwordHash = sha1('123456' . $salt);

Then your query would read something like:

INSERT INTO ... (..., password, salt) VALUES (..., $passwordHash, $salt)

This helps against finding out the password when the attacker knows hash of the password; the problem with storing plain hashes is it is susceptible to rainbow table attacks , where common strings are already mapped to their hashes, so it is possible to search the original string by its hash.

Edit: See Jay Blanchard's comment for a more up to date method using functions built in to PHP as of 5.5.