#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2013
    Posts
    15
    Rep Power
    0

    In need of bcrypt tutorial for PHP 5.4


    Hi All,

    I'm trying to find a reputable tutorial for using bcrypt to hash my users' passwords. I am aware that there is a built-in function in 5.5 which simplifies this process, but my host is forcing me to use 5.4 at this time.

    I have verified that CRYPT_BLOWFISH is enabled on my host.

    I have found a guide for PHP <v5.37, but wondered if there were any best practises for using bcrypt on v5.4.

    Thanks!

    Comments on this post

    • Jacques1 agrees : Great attitude regarding security and best practices. :-)
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2013
    Posts
    15
    Rep Power
    0
    OK I have started to work through this library and have got it working: https://github.com/ircmaxell/password_compat

    However, I'm somewhat confused because there is no reference to a salt in the code, nor do I need to store one in the DB.

    When I use this library, do I not need to worry about a salt? Does it do it for me?
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    use the password_compat library. It emulates the PHP 5.5 password API. This means you can already use it now, and when PHP 5.5 is out, you can continue to use it and simply remove the library.

    In any case, I strongly advice against using the crypt() function directly. There are a lot of mistakes you can make using it, and the function is generally not meant for "end users". It's for library developers to build a high-level API on top of it.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2013
    Posts
    15
    Rep Power
    0
    Thank you jacques1 (again)

    So is this all I need to do to securely hash the password?

    PHP Code:
    $hash password_hash($passwordPASSWORD_BCRYPT, array("cost" => 15)); 
    No need to be concerned about storing a salt?
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    OK, you've found it already.

    Originally Posted by DpchMd
    When I use this library, do I not need to worry about a salt? Does it do it for me?
    The library takes care of generating the salt. bcrypt always stores the salt together with the cost parameter and the hash in one string.

    So, yeah, that's all you need to do. The result is a CHAR(60).
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2013
    Posts
    15
    Rep Power
    0
    Originally Posted by Jacques1
    OK, you've found it already.



    The library takes care of generating the salt. bcrypt always stores the salt together with the cost parameter and the hash in one string.
    Nice! Thanks!
  12. #7
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    By the way: Kudos to you for keeping up to date and looking for state-of-the-art libraries. This is rare in the PHP world. Most people still run around with md5() and mysql_query() and never bother to update their code. "It works", so why change it? They don't understand that code needs to do more than just kinda sorta "work".

    Keep it up!
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2013
    Posts
    15
    Rep Power
    0
    Originally Posted by Jacques1
    By the way: Kudos to you for keeping up to date and looking for state-of-the-art libraries. This is rare in the PHP world. Most people still run around with md5() and mysql_query() and never bother to update their code. "It works", so why change it? They don't understand that code needs to do more than just kinda sorta "work".

    Keep it up!
    Thanks, I'm learning quickly.

    This was so easy to set up that I'm surprised so many people get it wrong.

    Comments on this post

    • Strider64 agrees : I think people sometimes try to re-invent the wheel, I know I have been guilty of that in the past ;)
  16. #9
  17. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by DpchMd
    This was so easy to set up that I'm surprised so many people get it wrong.
    Well, I think it's a combination of bad learning resources, lazy end users and incompetent language developers.

    First of all, the Internet is filled with sh*tty PHP tutorials and terrible code examples. When you Google for tutorials, the first thing that pops up is "w3schools" -- an endless source of misinformation, which is infamous for outdated code, unsecure practices and plain nonsense. And when you search for code examples, you usually end up with nothing but garbage code some kids wrote somewhere in the 90s.

    I think this is actually one of the biggest problems PHP has: The total overkill of bad information. It's like a gigantic disinformation campaign. Finding the few good resources is hard work, you have to do a lot of reading and compare different sources.

    Another problem is the laziness and copypasta culture amongst the PHP users. Many people don't do any reading at all. They just pick the next best tutorial (which is always crap), modify it, somehow get it running, and that's it. "It works", mission accomplished. This means that the crappy tutorials mentioned above are guaranteed to live forever. We'll probably still see them being copied and pasted in 10 years.

    Last but not least, the PHP language developers haven't always made the best decisions in the past -- to put it in the most diplomatic way. Writing bad PHP code is very easy. Writing good code requires a lot of knowledge and hard work circumventing the various pitfalls.

    I'm not only talking about brain farts like register_globals or magic_quotes. Take queries as an example: You wanna query a MySQL database, so the most obvious thing to do would be to use mysql_query(). Well, no, this extension is outdated. So you switch to PDO. Somebody tells you that you should be using prepared statements, so that's what you do. Well, no, the PHP developers in their infinite wisdom have decided to turn off prepared statements by default. So you turn them on again. Are you secure now? Well, no, you've probably wrapped the PDO construction in a try-catch block displaying all error details on the screen, because that's what the PHP manual recommends.

    In other words: You need to circumvent three non-obvious pitfalls just to do a f*cking database query. This is a disaster. No wonder nobody gets it right!

    I think the only way to get PHP back on track would be actually remove all dangerous features and aggressively promote secure alternatives. But since this would probably break 90% of all PHP websites, it's not gonna happen. PHP is the COBOL of the web.

    Comments on this post

    • Strider64 agrees : At least one won't drop a bunch of punch cards....;)
    Last edited by Jacques1; June 30th, 2013 at 11:32 AM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  18. #10
  19. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Location
    Burb of Detroit, Michigan
    Posts
    89
    Rep Power
    77
    What I find amazing over the last couple of months is the amount of bad code that people post. I'm also surprised by some of the responses, for example "I know it's bad code, I just want it to work!". I always scratch my head and hope that this person doesn't have a job that deals with a website that I visit, plus I wonder how that person got a job in the first place. Just my .02 cents.

    Comments on this post

    • Jacques1 agrees
  20. #11
  21. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014


    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo