Skip to content

Instantly share code, notes, and snippets.

@cballou

cballou/one-way-mysql.sql

Created March 25, 2012 13:33
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save cballou/2193924 to your computer and use it in GitHub Desktop.
Save cballou/2193924 to your computer and use it in GitHub Desktop.
Download ZIP
Securing Your PHP Sessions with a Salt (old, use bcrypt)
Raw
one-way-mysql.sql
CREATE TABLE `secure_login` (
`id` INT(11) UNSIGNED NOT NULL AUTO_INCREMENT,
`email` VARCHAR(120) NOT NULL,
`password` VARCHAR(40) NOT NULL,
`session` VARCHAR(40) DEFAULT NULL,
`disabled` TINYINT(1) UNSIGNED DEFAULT 0,
`created_dt` DATETIME DEFAULT '0000-00-00 00:00:00',
`modified_ts` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
PRIMARY KEY (`id`),
UNIQUE INDEX `uniq_idx` (`email`)
) ENGINE=InnoDB CHARSET=UTF8;
Raw
one-way-password-hashing-salt-validation.php
<?php
define('UNIQUE_SALT', '5&nL*dF4');
/**
* @param string $pass The user submitted password
* @param string $hashed_pass The hashed password pulled from the database
* @param string $hash_method The hashing method used to generate the hashed password
*/
function validateLogin($pass, $hashed_pass, $hash_method = 'sha1') {
if (function_exists('hash') && in_array($hash_method, hash_algos()) {
return ($hashed_pass === hash($hash_method, UNIQUE_SALT . $pass));
}
return ($hashed_pass === sha1($hash_method, UNIQUE_SALT . $pass));
}
Raw
one-way-password-hashing-salt.php
<?php
define('UNIQUE_SALT', '5&nL*dF4');
function create_hash($string, $hash_method = 'sha1') {
if (function_exists('hash') && in_array($hash_method, hash_algos()) {
return hash($hash_method, UNIQUE_SALT . $string);
}
return sha1(UNIQUE_SALT . $string);
}
Raw
one-way-password-hashing.php
<?php
/**
* Generates a secure, pseudo-random password with a safe fallback.
*/
function pseudo_rand($length) {
if (function_exists('openssl_random_pseudo_bytes')) {
$is_strong = false;
$rand = openssl_random_pseudo_bytes($length, $is_strong);
if ($is_strong === true) return $rand;
}
$rand = '';
$sha = '';
for ($i = 0; $i < $length; $i++) {
$sha = hash('sha256', $sha . mt_rand());
$chr = mt_rand(0, 62);
$rand .= chr(hexdec($sha[$chr] . $sha[$chr + 1]));
}
return $rand;
}
/**
* Creates a very secure hash. Uses blowfish by default with a fallback on SHA512.
*/
function create_hash($string, &$salt = '', $stretch_cost = 10) {
$salt = pseudo_rand(128);
$salt = substr(str_replace('+', '.', base64_encode($salt)), 0, 22);
if (function_exists('hash') && in_array($hash_method, hash_algos()) {
return crypt($string, '$2a$' . $stretch_cost . '$' . $salt);
}
return _create_hash($string, $salt);
}
/**
* Fall-back SHA512 hashing algorithm with stretching.
*/
function _create_hash($password, $salt) {
$hash = '';
for ($i = 0; $i < 20000; $i++) {
$hash = hash('sha512', $hash . $salt . $password);
}
return $hash;
}
Raw
one-way-password-validation.php
<?php
/**
* @param string $pass The user submitted password
* @param string $hashed_pass The hashed password pulled from the database
* @param string $salt The salt used to generate the encrypted password
*/
function validateLogin($pass, $hashed_pass, $salt) {
if (function_exists('hash') && in_array($hash_method, hash_algos()) {
return ($hashed_pass === crypt($pass, $hashed_pass);
}
return ($hashed_pass === _create_hash($pass, $salt));
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment