StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POSalting in PHP and MySQL
primarykey
Id
3284277
data
AcceptedAnswerId
3284353
AnswerCount
1
ClosedDate
CommentCount
6
CommunityOwnedDate
CreationDate
2010-07-19T19:23:25.007
FavoriteCount
0
LastActivityDate
2010-07-19T19:52:24.977
LastEditDate
2017-05-23T11:48:44.743
LastEditorUserId
-1
OwnerUserId
128081
ParentId
0
PostTypeId
1
Score
0
ViewCount
456
LastEditorDisplayName
text
Body
I have been developing a login library for a website using CodeIgniter. The authentication code is as follows: <pre><code>function signin($username, $password) { $CI =& get_instance(); $query_auth=$this->db->query('SELECT user_id, banned FROM user WHERE username=? AND password=SHA1(CONCAT(?,salt)) LIMIT 1', array($username, $password)); if($query_auth->num_rows()!=1) return 2; else { if($query_init->row()->banned==1) return 3; else { $CI->load->library('session'); $this->session->set_userdata('gauid', $query_auth->row()->user_id); return 1; } } } </code></pre> The return values signifying success, failure or banned. Each user has a unique salt stored in the database. Originally i grabbed the salt from the database, combined the users inputted password and salt from the database in PHP, then queried the database again with the combined value. I thought that this would speed things up as only one trip to the database is required and there is less code. I also thought that it would be equally secure, however after reading the top reponse to this question <a href="https://stackoverflow.com/questions/3273293/salting-my-hashes-with-php-and-mysql">Salting my hashes with PHP and MySQL</a> ... <blockquote> First of all, your DBMS (MySQL) does not need to have any support for cryptographic hashes. You can do all of that on the PHP side, and that's also what you should do. </blockquote> ...I started to wonder if there was a security problem i had neglected to spot. Is there actually anything wrong this code?
Tags
<php><mysql><security><salt>
Title
Salting in PHP and MySQL
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USCommunity
UserOwnerUserId
1. USj82374823749
plurals
PostLinksPostIdRelatedPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
2. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POSalting in PHP and MySQL
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POSalting in PHP and MySQL
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTDownMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.