How to apply password_hash for use of SELECT, INSERT and UPDATE?

1

I know password_hash works like this:

string password_hash ( string $password , integer $algo [, array $options ] )

1 - But I wanted to know how I can apply password_hash in these cases:

$check = mysql_query("SELECT 'id' FROM 'database'.'user' 
WHERE 'password' = '".$password."'") or die(mysql_error());

$insert = mysql_query("INSERT INTO 'database'.'user'('username','password','email')
VALUES ('".$username."','".$password."','".$email."')") or die(mysql_error());

$update = mysql_query("UPDATE 'database'.'user' SET 'password' = '".$newpassword."' 
WHERE 'password' = '".$oldpassword."'") or die(mysql_error());

2 - After applying password_hash will I still need mysql_real_escape_string ?

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$email = mysql_real_escape_string($_POST['email']);
    
asked by anonymous 25.05.2014 / 01:51

2 answers

6

First of all, I recommend reading this question:

  

How to safely have password hash?


Here are two examples of password_hash using mysqli and bind_param , without the need to do any kind of escape manually.

  

bind param already escapes values automatically:


Password storage example with password_hash:

$mysqli = new mysqli( 'enderecodoservidor', 'usuario', 'senha', 'basededados' );

$usuario = $_POST['usuario'];
$hash    = password_hash( $_POST['senha'], PASSWORD_DEFAULT );

$query = 'INSERT INTO usuarios ( nome, hash) VALUES ( ?, ? )';
$stmt = $mysqli->prepare( $query );
$stmt->bind_param("ss", $usuario, $hash );
$stmt->execute();


Password update example with password_hash:

$mysqli = new mysqli( 'enderecodoservidor', 'usuario', 'senha', 'basededados' );

$usuario = $_session['usuario']; // ou idusuario, depende como voce mantem o login
$hash    = password_hash( $_POST['novaSenha'], PASSWORD_DEFAULT );

$query = 'UPDATE usuarios SET hash= ? WHERE nome = ? '; // ou WHERE id = ?
$stmt = $mysqli->prepare( $query );
$stmt->bind_param("ss", $hash , $usuario ); // ou ("si", $hash, $idUsuario)
$stmt->execute();


Password verification example with password_hash:

$mysqli = new mysqli( 'enderecodoservidor', 'usuario', 'senha', 'basededados' );

$usuario = $_POST['usuario'];
$idUsuario = 0;

$query = 'SELECT id, hash FROM usuarios WHERE nome = ?';
$stmt = $mysqli->prepare( $query );
$stmt->bind_param("s", $usuario );
$stmt->execute();

$stmt->bind_result( $idUsuario, $hash );
$stmt->fetch();

if ( password_verify( $_POST['senha'], $hash ) ) {
   echo 'Logado';
} else {
   echo 'Usuario e/ou senha invalidos';
}
  

Leave a varchar () field wide enough for the hash of the password, so as not to run the risk of truncating the data.

See in this post how to update the hash of passwords automatically with new PHP versions:

  

link

    
25.05.2014 / 07:24
2

$password = password_hash($password);
$check = mysql_query("SELECT 'id' FROM 'database'.'user' 
WHERE 'password' = '".$password."'") or die(mysql_error());

$password = password_hash($password);
$insert = mysql_query("INSERT INTO 'database'.'user'('username','password','email')
VALUES ('".$username."','".$password."','".$email."')") or die(mysql_error());

$password = password_hash($password);
$oldpassword = password_hash($oldpassword);
$update = mysql_query("UPDATE 'database'.'user' SET 'password' = '".$newpassword."' 
WHERE 'password' = '".$oldpassword."'") or die(mysql_error());

Note: In my understanding I would use filter_vars or filter_input instead of those mysql_real_escape_string and also instead of using deprecate password_hash use the PDO or Mysqli , because it will be discontinued in newer versions of PHP , for various reasons one of them is security !!!

In this answer has a good also explanation on the Mysql part .

    
25.05.2014 / 02:03