Password salt

Hello everyone,
I am a PHP beginner, just started to study.
I’m trying at the moment create an Application that uses MYSQL on a Docker enviroment.
In the exercise I’m following it’s asking :
“Create a DB in MYSQL with a table holding: (a) a user name (acting as primary key), (b) a secured password, © an arbitrary textual information. The secured password must be pre-pended with a 6 character long salt, then hashed with the SHA-256 algorithm (note that MySQL provides a sha2 method that can be used to realize SHA-256). Both the salt and the hash value are then concatenated and stored in the resp. column of the table”.

My concern is about the password with 6 char long salt. Is there a type salt in mySql?
Can anyone address to a documentation for this or suggest me any hints?
Also: Both the salt and the hash value are then concatenated and stored in the resp. column of the table. Should I create a separate column for this?

Many thanks

A salt is just a string. And referring to “Both the salt and the hash value are then concatenated and stored in the resp. column of the table” that’s just one column, because after a concatenation you have only one value left.

Good you learn the fundamentals of secure password hashing, but if you ever go beyond this tutorial, you should consider using appropriate, more secure hashing functions like this:

https://www.php.net/manual/en/function.password-hash.php

and benefit from the function doing most work for you.

1 Like

Many thanks for your reply.
So in the DB the password will be just an entry of type String?

In the link you have sent me I can read: "
The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default. "
So, should I forget about the salt option as it’s generate by default?

Thanks again

That is a deprecated way to handle passwords in PHP specifically. The new and proper way is to use password_hash, but if this is for a school assignment, you likely can’t use the real way this would be handled.

1 Like

Yes, but mostly it’s called VARCHAR in the database context.

Yes, PHP does this for you:

If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.

1 Like
Sponsor our Newsletter | Privacy Policy | Terms of Service