php - Efficiently checking a hashed password from database -


firstly have tried best find definitive answer on this. secondly, code appears work, want confirm doing in efficient manner , not leaving myself open security breaches.

firstly, use php password_hash when adding user admin table;

$stmt = $dbh->prepare("insert admin (username, password) values (:username, :password)"); $stmt->bindparam(':username', $username); $stmt->bindparam(':password', $password);  $password = password_hash('password', password_default);

secondly, when user attempts login, retrieve users admin table matching username only, couldn't see way check hash during query (this part unsure if there better way), , define $password variable post input;

$stmt = $dbh->prepare("select * admin username = :username");     $stmt->bindparam(':username', $username);     $username = $_post['username'];     // define $password use in password verify     $password = $_post['password'];

thirdly, if there result query, run password_verify on user input check match, , branch depending on true or false.

if ($row = $stmt->fetch(pdo::fetch_assoc)) {             if (password_verify($password, $row['password'])) {                 session_start();                 foreach ($row $user) {                     $_session['user'] = $row['id'];                 }             } else {                 $errors = true;             }                                    header('location: leads.php');         }         else {             $errors = true;         }

i know there many different ways hash / secure passwords, using native password_hash functions way decided go, question have done right / there better way?

thanks in advance.

basically, code looks quite okay, except things mentioned. ask improvements, performance related ones, here go:

  • add index on username

  • if table gets lot of entries, remove index username, add new column called hash index , rewrite insert , select this:

    insert admin (username, password, hash) values (:username, :password, crc32(username))

    select * admin username = :username , hash=crc32(:username)

i assume, use mysql, adding limit 1 query helps optimizer , stops searching after row found.

avoiding foreach-loop possible, if work 1 row.

btw: header('location: leads.php'); should read header('location: leads.php'); , using absolute paths makes things more robust.


Comments

Post a Comment

Popular posts from this blog

Magento/PHP - Get phones on all members in a customer group -

i working on custom magento extension. working around adminhtml part , i've created custom form there. here form code: <?php class vivasindustries_smsnotification_block_adminhtml_sms_sendmass_edit_form extends mage_adminhtml_block_widget_form { public function _preparelayout() { $extensionpath = mage::getmoduledir('js', 'vivasindustries_smsnotification'); $head = $this->getlayout()->getblock('head'); $head->addjs('jquery.js'); $head->addjs('vivas.js'); return parent::_preparelayout(); } protected function _prepareform() { $form = new varien_data_form(array( 'id' => 'edit_form', 'action' => $this->geturl('*/*/save', array('id' => $this->getrequest()->get
Read more

php - .htaccess mod_rewrite for dynamic url which has domain names -

i want convert url ex:( example.com/link.php?url=facebook.com ) ( example.com/facebook.com.php ) how can using .htaccess. or there other process make job easier ? i tried adding script .htaccess file options +followsymlinks rewriteengine on rewriterule url-(.*)\.htm$ link.php?url=$1 but converting url adding "url-" ( example.com/url-facebook.com.php ) i want remove "url-" , want make ( example.com/facebook.com.php ) rewriteengine on rewritecond %{the_request} ^get.*link\.php\?url\= [nc] rewritecond %{request_uri} !/system/.* [nc] rewriterule (.*?)link\.php\?url\=/*(.*) /$1$2 [r=301,ne,l] not sure how above work edit of used use remove index.php url
Read more

Website Login Issue developed in magento -

i have website developed using magento . able login. right now, login failed. infact operations interacts user table failing. need know issue. how figure out? first clear try clear log file second make sure have not upgraded magento and 3rd make sure db accessible in magento -harry p
Read more