0

I have a password;

828b8f98ec52c750bf018c92951c6e40ae3976e74c888e42ff55ff22403932af

I am using Kohana 3 for my Auth login normally.

now i need to make a separate script, where a client can enter his password only and then it should check if the password it correct.

So what im dealing with is:

$real_pwd = '828b8f98ec52c750bf018c92951c6e40ae3976e74c888e42ff55ff22403932af';
$entered_pwd = $_GET['pwd']; // test purposes i know its vuln for sql injection ...

if ( $real_pwd == crypt($entered_pwd) ) { echo "OK"; }

This is not working ofcourse, crypt() is something i tried, but i dont know what to use?

If it was a sha1 pw i could use sha1 for the entered_pwd, but what with sha256?

Karem
  • 16,343
  • 69
  • 163
  • 271
  • Is that the actual password, or its hash? I'd hate to have to live your organization's PW policy if that's the plaintext PW... – Marc B May 25 '12 at 17:13
  • I would recommend to read [Secure hash and salt for PHP passwords][1] [1]: http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords – Moyed Ansari May 25 '12 at 17:17
  • How could it be vulnerable for SQL injects if you're not using the $entered_pwd inside a query? (Hashing transforms any string into a hex character string so the can be no SQL injection code in the hashed string). – Mihai Stancu May 25 '12 at 17:24
  • I am just not part of the code. No its not the actual pw – Karem May 25 '12 at 17:42

1 Answers1

2

You could use hash() http://php.net/manual/en/function.hash.php

However I recommend you to have a look at bcrypt and use it for hashing password. Have a look here How do you use bcrypt for hashing passwords in PHP?

Here's some other resources you might find useful: Secure hash and salt for PHP passwords

Fundamental difference between Hashing and Encryption algorithms

Community
  • 1
  • 1
josmith
  • 1,039
  • 7
  • 17