stackoom
  简体   繁体   中英

Password Hashing

 原文  2016-05-06 07:14:49       php/ phpmyadmin

Question

I have a registration form where the input data is written into the database. The password 'pw' will be hashed with BCRYPT, this works correctly with this code:

$pwHash = pw_hash($pw, PASSWORD_BCRYPT, array('cost' => 10));

Problem:

When I want to update the data it will not work. The code below writes the data without encryption into the database.

How can I make the password encrypted?

Can anyone help me out here? 

 <?php include_once 'dbcon.php'; $id = $_POST['id']; $fn = $_POST['fn']; $ln = $_POST['ln']; $em = $_POST['em']; $hid = $_POST['hid']; $tn = $_POST['tn']; $us = $_POST['us']; $pw = $_POST['pw']; $ul = $_POST['ul']; $chk = $_POST['chk']; $chkcount = count($id); for($i=0; $i<$chkcount; $i++) $pwHash = pw_hash($pw, PASSWORD_BCRYPT, array('cost' => 10)); { $MySQLiconn->query("UPDATE user SET FName='$fn[$i]', LName='$ln[$i]', Email='$em[$i]', HerbalifeID='$hid[$i]', TelNr='$tn[$i]', UplineS='$us[$i]', Password='$pwHash[$i]', UserLevel='$ul[$i]' WHERE UserID=".$id[$i]); } header("Location: indexAdmin.php"); ?>

1 answers

solution1
 0  2016-05-06 07:22:14

I guess the fix should be the following 

<?php
include_once 'dbcon.php';
$id = $_POST['id'];
$fn = $_POST['fn'];
$ln = $_POST['ln'];
$em = $_POST['em'];
$hid = $_POST['hid'];
$tn = $_POST['tn'];
$us = $_POST['us'];
$pw = $_POST['pw'];
$ul = $_POST['ul'];

$chk = $_POST['chk'];
$chkcount = count($id);
for ($i = 0; $i < $chkcount; $i++) {

    $pwHash = password_hash($pw[$i], PASSWORD_BCRYPT, array('cost' => 10));
    $MySQLiconn->query("UPDATE user SET FName='$fn[$i]', LName='$ln[$i]', Email='$em[$i]', HerbalifeID='$hid[$i]', TelNr='$tn[$i]', UplineS='$us[$i]', Password='$pwHash', UserLevel='$ul[$i]'  WHERE UserID=".$id[$i]);
}
header("Location: indexAdmin.php");

The changes are

  1. Create pwHash variable and update table inside the same loop.
  2. Access $pw[$i] as other variables like $id and $fn - they all appears to be arrays.
  3. $pwHash is not an array, access it like a scalar variable.
  4. Use password_hash function - update based on comment by Paul Crovella

There are several issues related with the code. And primary one I believe is the fact that the code is opened to SQL injection attack .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question hashing password with salt Simple but safe password hashing Hashing password and login Hashing and password_verify Password hashing: Keccak or not cakephp not hashing password in model PHP Password Hashing Password hashing is not reliable is this code valid for password hashing? password hashing / login
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM