Scribd Logo
Upload

Welcome to Scribd!

  • PHP Seminar

    Uploaded by

    Mohammad Ali
    19 views20 pages

    Original Title

    PHP Seminar.pptx

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    19 views20 pages

    PHP Seminar

    Uploaded by

    Mohammad Ali

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 20

    ‫دولت جمهوری اسالمی افـانستان‬

    ‫وزارت تحصیـــــــــــــــالت عــــــــــالی‬

    ‫ریاست پوهنتون ها و موسسات تحصیالت عالی خصوصی‬

    ‫دانشـــــــــــــگاه خصوصی آریــــــــــــــا‬

    ‫دانشـــــکده کامپیوتر ساینس‬


    ‫‪Password #ashing‬‬

    ‫تهیه و ترتیب‪ :‬محمد علی رحیمی‬


    ‫استاد رهنما‪ :‬محمد یمارامین‬
    ‫مضمون‪Client Server Side :‬‬
    ‫تایم درسی‪ :‬شبانه‬
    What is Hash?

    Hashing performs a one-way transformation on a password,


    turning the password into another String, called the hashed
    password. “One-way” means that it is practically impossible
    to go the other way - to turn the hashed password back into the
    original password
    How to Hash Password?
    • First, you need a database users table.
    • For example, let’s use a simplified version of the “accounts”
    table from my Student.
    • This table has the following columns:
    • account_id: the unique identifier of the account.
    • account_name: the account username.
    • account_passwd: the password hash.
    • This is the SQL code to create the table (you can use it with
    PhpMyAdmin to create the table on your development
    environment):
    Cont:
    • CREATE TABLE accounts (
    • account_id int(10) UNSIGNED NOT NULL,
    • account_name varchar(255) NOT NULL,
    • account_passwd varchar(255) NOT NULL
    • ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
    •  
    • ALTER TABLE accounts
    • ADD PRIMARY KEY (account_id);
    •  
    • ALTER TABLE accounts
    • MODIFY account_id int(10) UNSIGNED NOT NULL
    AUTO_INCREMENT;
    Important:
    • Be sure to set the password column as a varchar.
    • (A varchar is a text column of variable length.)
    • The reason is that the size of the hash
    from password_hash() can change (more details on this later).
    Connection:
    • Now, you need to connect to the database from your PHP
    script.
    • If you don’t know how, here is a simple PDO connection
    script you can use right away.
    • Just edit the connection parameters to make it work with your
    own environment:
    • Next Slide is coding…
    • /* Host name of the MySQL server. */
    • $host = 'localhost';
    • /* MySQL account username. */
    • $user = 'myUser';
    • /* MySQL account password. */
    • $passwd = 'myPasswd';
    • /* The default schema you want to use. */
    • $schema = 'mySchema';
    • /* The PDO object. */
    • $pdo = NULL;
    • /* Connection string, or "data source name". */
    • $dsn = 'mysql:host=' . $host . ';dbname=' . $schema;

    • /* Connection inside a try/catch block. */


    • try
    • {
    • /* PDO object creation. */
    • $pdo = new PDO($dsn, $user, $passwd);

    • /* Enable exceptions on errors. */
    • $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    • }
    • catch (PDOException $e)
    • {
    • /* If there is an error, an exception is thrown. */
    • echo 'Database connection failed.';
    • die();
    • }
    Creating User:
    • Now you are ready to add a new user to the table.
    • Here is a full example (pdo.php is the script containing the
    previous database connection snippet):
    • Next Slide is coding…
    • /* Include the database connection script. */
    • include 'pdo.php';

    • /* Username. */
    • $username = 'John';
    •  
    • /* Password. */
    • $password = 'my secret password';
    •  
    • /* Secure password hash. */
    • $hash = password_hash($password, PASSWORD_DEFAULT);
    •  
    • /* Insert query template. */
    • $query = 'INSERT INTO accounts (account_name, account_passwd) VALUES (:name, :passwd)';
    •  
    • /* Values array for PDO. */
    • $values = [':name' => $username, ':passwd' => $hash];
    •  
    • /* Execute the query. */
    • try
    • {
    • $res = $pdo->prepare($query);
    • $res->execute($values);
    • }
    • catch (PDOException $e)
    • {
    • /* Query error. */
    • echo 'Query error.';
    • die('');
    • }
    Change Password:
    • The next example shows how to change the password of an
    existing user.
    • First, get the new password and create its hash with 
    password_hash():
    • Next Slide is coding…
    • /* New password. */
    • $password = $_POST['password'];
    •  
    • /* Remember to validate the password. */
    •  
    • /* Create the new password hash. */
    • $hash = password_hash($password,
    PASSWORD_DEFAULT);
    Verify Password:
    • To verify the password provided by a remote user, you need to
    use the password_verify() function.
    • password_verify() takes two arguments:
    • the password you need to verify, as first argument
    • the hash from password_hash() of the original password, as
    second argument
    • If the password is correct, password_verify() returns true.
    • Here is an example:
    • Next Slide is coding…
    • /* Include the database connection script. */
    • include 'pdo.php';
    •  
    • /* Login status: false = not authenticated, true = authenticated. */
    • $login = FALSE;
    •  
    • /* Username from the login form. */
    • $username = $_POST['username'];
    •  
    • /* Password from the login form. */
    • $password = $_POST['password'];
    •  
    • /* Remember to validate $username and $password. */
    •  
    • /* Look for the username in the database. */
    • $query = 'SELECT * FROM accounts WHERE (account_name = :name)';
    •  
    • /* Values array for PDO. */
    • $values = [':name' => $username];
    •  
    • /* Execute the query */
    • try
    • {
    • $res = $pdo->prepare($query);
    • $res->execute($values);
    • }
    • catch (PDOException $e)
    • {
    • /* Query error. */
    • echo 'Query error.';
    • die();
    • }
    •  
    • $row = $res->fetch(PDO::FETCH_ASSOC);
    •  
    • /* If there is a result, check if the password matches using password_verify(). */
    • if (is_array($row))
    • {
    • if (password_verify($password, $row['account_passwd']))
    • {
    • /* The password is correct. */
    • $login = TRUE;
    • }
    • }
    Important:
    • Important:
    • You cannot just compare two different hashes to see if they match.
    • The reason is that password_hash() creates salted hashes.
    • Salted hashes include a random string, named “salt”, as a protection
    against rainbow tables and dictionary attacks.
    • Therefore, every hash will be different even if the source password is the
    same.
    •  
    • Try the following code. You will see that the two hashes are different, even
    if the password is the same:
    • Next Slide is coding…
    • $password = 'my password';
    •  
    • echo password_hash($password, PASSWORD_DEFAULT);
    • echo '<br>';
    • echo password_hash($password, PASSWORD_DEFAULT);
    Increase Hash Security:
    • The hash generated by password_hash() is very secure.
    • But you can make it even stronger with two simple techniques:
    • 1-Increasing the Bcrypt cost.
    • 2-Automatically updating the hashing algorithm.
    •  
    • Bcrypt cost
    • Bcrypt is the current default hashing algorithm used
    by password_hash().
    • This algorithm takes an option parameter named “cost”. The default cost
    value is 10.
    • By increasing the cost, you can make the hash more difficult to
    compute. The higher the cost, the longer the time needed to create the
    hash.
    • Next Slide is coding…

    You might also like