I’m not new to php but I’m starting to learn it again and I have a problem that I do not know how to solve. I’m creating a system for my applications (Windows Form) where a user can register and use it. (Note: I’m not using a browser!) and I’m using php/mysqli.
I’ve read too many topics on how to store passwords safely in a db and such so I get the general idea but I’m sure my method is not very secure. So here goes.
I have a user in my db (Testing with EasyPHP via localhost for now) and I want to check if a user logs in correctly with my application ; my procedure is as follows.
- User enters their details (Username & Password)
- After hitting submit/login , my app communicates with the php script via http requests and sends data
by cookies. So it sends the username to the script
- Script does a query and searches for the username to check if it exists
Here’s the real problem: I’m using SHA1 (I can only use hash functions that both php and my app can use) for hashing and each user has their own unique salt which is stored in the db. I need to retrieve the salt (YES I know this is a very bad idea indeed!) so I can hash the password and send it to the script for verification. But this seems very flawed as I don’t want to expose a salt even if it’s unique because the hacker could find out and try to get the password this way. Security is not that paramount so I don’t want to use SSL but I want to be prepared just in case.
For people who use this method (Storing password salts in the db) how do you proceed with checking login ?
Can someone suggest a better method that mine