tags:

views:

73

answers:

1
Q: 

Salting in PHP and MySQL

I have been developing a login library for a website using CodeIgniter. The authentication code is as follows:

function signin($username, $password)
{
    $CI =& get_instance();
    $query_auth=$this->db->query('SELECT user_id, banned FROM user WHERE username=? AND password=SHA1(CONCAT(?,salt)) LIMIT 1', array($username, $password));

    if($query_auth->num_rows()!=1)
        return 2;
    else
    {
        if($query_init->row()->banned==1)
            return 3;
        else
        {
            $CI->load->library('session');
            $this->session->set_userdata('gauid', $query_auth->row()->user_id);
            return 1;
        }
    }
}

The return values signifying success, failure or banned. Each user has a unique salt stored in the database.

Originally i grabbed the salt from the database, combined the users inputted password and salt from the database in PHP, then queried the database again with the combined value. I thought that this would speed things up as only one trip to the database is required and there is less code. I also thought that it would be equally secure, however after reading the top reponse to this question http://stackoverflow.com/questions/3273293/salting-my-hashes-with-php-and-mysql ...

First of all, your DBMS (MySQL) does not need to have any support for cryptographic hashes. You can do all of that on the PHP side, and that's also what you should do.

...I started to wonder if there was a security problem i had neglected to spot.

Is there actually anything wrong this code?

+2  A: 

Not anything wrong per se. Keep in mind any traffic carrying the unencrypted/unhashed password is suspect. So, for instance, when the server is a remote one, and not working with encryption in communicating with that server, it is yet another moment to try to intercept a password. Also, if queries are logged somewhere (either by default, or because they're slow), you have a plain password + the salt you're using sitting in those serverlogs, after all the trouble you went through NOT to store a plaintext password somewhere. If you did it privately in your own code, that wouldn't happen.

It all depends on how paranoid you like to be. There are far easier to abuse and often forgotten evils, like session-fixation.

Wrikken  2010-07-19 19:31:41
Sorry, pet peeve on per se. :)
Joseph Mastey  2010-07-19 19:33:06
As long as you're thinking through security issues like this already, I wouldn't call the logging of all password attempts in plaintext as a minor thing. Otherwise agreed as above.
Joseph Mastey  2010-07-19 19:34:48
hashing!= encryption
Rook  2010-07-19 19:36:19
@Joseph: now it's OK :)
Amnon  2010-07-19 19:49:55
Wrikken  2010-07-19 19:51:04

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL