I’m no password expert, for this is all I do for storing the password ->
[php]$password = password_hash($password, PASSWORD_BCRYPT, array(“cost” => 15));[/php]
I figure if someone can crack that then they are either
- Extremely Smart
or I’m
- Extremely stupid in having a security vulnerability. ;D
You don’t have to put in a random salt for that is the nice thing, this is a quote from password_hash php.net - “This allows the password_verify() function to verify the hash without needing separate storage for the salt or algorithm information.”
I was thinking that the following might help, this is the script I’m currently using for my own website:
[php]if (isset($_POST[‘action’]) && $_POST[‘action’] == ‘register’) {
$userType = ‘public’;
$username = $_POST[‘username’];
$realname = $_POST[‘realname’];
$email = $_POST[‘email’];
$imagePath = ‘lib/upload/img-blank.jpg’;
$password = password_hash($_POST[‘password’], PASSWORD_BCRYPT, array(“cost” => 15));
$query = ‘INSERT INTO users (userType, username, realname, email, password, imagePath, dateAdded) VALUES (:userType, :username, :realname, :email, :password, :imagePath, NOW())’;
$stmt = $pdo->prepare($query);
try {
$stmt->execute(array(’:userType’ => $userType, ‘:username’ => $username, ‘:realname’ => $realname, ‘:email’ => $email, ‘:password’ => $password, ‘:imagePath’ => $imagePath));
header('Location:index.php');
exit();
} catch (PDOException $error) {
if (substr($error->getCode(), 0, 2) == SQL_CONSTRAINT_VIOLATION) {
echo http_response_code();
} else {
throw $error; // some other error happened; just pass it on.
}
}
}[/php]
I just realize I don’t practice what I preach, I’m going to have to comment the error messages out or log them to a folder…oops me bad.