TalkPHP - View Single Post

Wildhoney · 09-20-2007, 10:53 AM

In a previous article which can be viewed here, I made it rather clear that cryptography salts are crucial when using MD5 or SHA1 algorithms. This prevents the hash string from being an easily recognisable hash string. In the article we also mentioned the 2 ways of going about salts: dynamically and statically.

Your members table would have the following columns:

id tinyint(8)
username varchar(16)
salt char(5)
password char(32)

You would generate a random ID when the user registered (see article on generating random strings - remember though that a salt does not need to be unique) and store it along with their personal credentials in the database. Upon user registration, you will want to generate the hash algorithm for the password field with the randomly generated salt and then store it.

Now when a user comes to log in you can issue the SQL statement shown below. This will take the salt from the row where the user name matches, and MD5 it along with the password they entered. It will then be checked against the hash string in the database.

Code:

SELECT
	username
FROM
	members
WHERE
	password = MD5(CONCAT(salt, 'buddha'))

The above code is what you would use to log a user into your system. Simple!

09-20-2007, 10:53 AM	#1 (permalink)
Wildhoney La Vida es Sueño Join Date: Sep 2007 Location: Oldham Posts: 2,258 Thanks: 90	Working with Dynamic Cryptography Salts In a previous article which can be viewed here, I made it rather clear that cryptography salts are crucial when using MD5 or SHA1 algorithms. This prevents the hash string from being an easily recognisable hash string. In the article we also mentioned the 2 ways of going about salts: dynamically and statically. Your members table would have the following columns: id `tinyint(8)` username `varchar(16)` salt `char(5)` password `char(32)` You would generate a random ID when the user registered (see article on generating random strings - remember though that a salt does not* need to be unique)* and store it along with their personal credentials in the database. Upon user registration, you will want to generate the hash algorithm for the password field with the randomly generated salt and then store it. Now when a user comes to log in you can issue the SQL statement shown below. This will take the salt from the row where the user name matches, and MD5 it along with the password they entered. It will then be checked against the hash string in the database. Code: SELECT username FROM members WHERE password = MD5(CONCAT(salt, 'buddha')) The above code is what you would use to log a user into your system. Simple! __________________ The man who comes back through the Door in the Wall will never be quite the same as the man who went out.