Hi,
I am now creating a sha2 login form after researching and asking for help around online, I find the example code from this link below is quite useful and practical (I hope I am right!??), the only thing I don't understand is the way this programmer wrote the function and getting the salt value from the function.
http://hungred.com/useful-information/php-better-hashing-password/
define('SALT_LENGTH', 15);
function HashMe($phrase, &$salt = null)
{
$pepper = '!@#$%^&*()_+=-{}][;";/?<>.,';
if ($salt == '')
{
$salt = substr(hash('sha512',uniqid(rand(), true).$pepper.microtime()), 0, SALT_LENGTH);
}
else
{
$salt = substr($salt, 0, SALT_LENGTH);
}
return hash('sha512',$salt . $pepper . $phrase);
}
what is the difference if I change the function to this?
function HashMe($phrase, $salt) {..}
of course this function will fail, what is it for to have a '&' before $salt? is it necessary to have 'null' like this &$salt = null? what if I put '&$salt'?
and then, to get the salt value, you just can get it straight and put it the sql query like below,
$username = cleanMe($_POST('username'));
$password = cleanMe($_POST('password'));
$salt = '';
$hashed_password = HashMe($password, $salt);
$sqlquery = 'INSERT INTO `usertable` ("username", "password", "salt") VALUES ("'.$username.'", "'.$hashed_password .'", "'.$salt.'") WHERE 1';
..
how can I get the salt value from the function like this below before preparing the sql query,
$salt = "'".salt."'";
$username = "'".$username."'";
$hashed_password = "'".$hashed_password."'";
then,
$sqlquery = 'INSERT INTO `usertable` ("username", "password", "salt") VALUES ($username, $hashed_password, $salt) WHERE 1';
the reason I dont like/ want to have this - "'" in my sql query is that I have null value sometimes like $firstname = 'NULL'; and I want the row to 'tick' the empty field as null if the firstname is empty/ null.
besides, having "'" in my sql query, making me dizzy and difficult to debug when things gone wrong...
sorry, I have lots of questions in this thread!
thanks.