PHP script help

[Burn Out]

---

guys may script ako dri na mag himo account into a file then eh update sa database..

ang problem nq unsaon pag change sa pass..

ito ang script

---------------------


$acc = fread($f,7124);
$demoid=substr($acc,0,$userlenght);
$demopass=substr($acc,52,32);
$acc = str_replace($demoid,$UserID,$acc);
$acc = str_replace($demopass,$password2,$acc);
// echo $accdir."\\".$initial."\\".$UserID;
$f2=fopen($accdir."\\".$initial."\\".$UserID.".tad ", "a");
fwrite($f2,$acc);
fclose($f);
echo "<div align='center'><img src='imagenes/bienvenido.jpg' border='0'/></div><br>
<FONT FACE='arial' SIZE=3 COLOR=red>T&uacute; Account has been registered successfully!.</FONT>";


mssql_query("INSERT INTO Account VALUES ('$Email', '$UserID', '$Password' , '$UserKey', '0')");
mssql_query("DECLARE @return_value int,

------------------------------

[0kimangel0]

Kani bro.
Creating an Advanced Password Recovery Utility | Nettuts+

Although this tutorial is quite old and is still using MD5 hashing, you can use the following functions if you are using PHP 5 and up. Using the Crypt function is recommended, but the latest PHP version also has a new password hashing function. If you are using older versions of PHP you can some password hashing framework like (Portable PHP password hashing ("password encryption") framework).



/** Function for Password Hashing using PHP Crypt Function
* Use this function in hashing the User password before storing to database
* @param $password
* @return string $hashedPassword
*/
protected function hash_password($password)
{
$hashedPassword = crypt($password);
return $hashedPassword;
}



/**Checking the user input password against the hashed password stored in the database upon account creation
* Used in checking user Login
* @param $passwordinputfromuser User Input Password from login form
* @param $hashedPasswordfromDatabase
* @return bool
*/
protected function check_password($password, $hashedPassword)
{
if (crypt($passwordinputfromuser, $hashedPasswordfromDatabase) == $hashedPasswordfromDatabase) {
return true;
} else return false;
}


Here are some Safe Password hashing information from the PHP Manual Website (http://php.net/manual/en/faq.passwords.php):

Why should I hash passwords supplied by users of my application?

Password hashing is one of the most basic security considerations that must be made when designing any application that accepts passwords from users. Without hashing, any passwords that are stored in your application's database can be stolen if the database is compromised, and then immediately used to compromise not only your application, but also the accounts of your users on other services, if they do not use unique passwords.

By applying a hashing algorithm to your user's passwords before storing them in your database, you make it implausible for any attacker to determine the original password, while still being able to compare the resulting hash to the original password in the future.

It is important to note, however, that hashing passwords only protects them from being compromised in your data store, but does not necessarily protect them from being intercepted by malicious code injected into your application itself.


Why are common hashing functions such as md5() and sha1() unsuitable for passwords?

Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to "brute force" the output of these algorithms, in order to determine the original input.

Because of how quickly a modern computer can "reverse" these hashing algorithms, many security professionals strongly suggest against their use for password hashing.


How should I hash my passwords, if the common hash functions are not suitable?

When hashing passwords, the two most important considerations are the computational expense, and the salt. The more computationally expensive the hashing algorithm, the longer it will take to brute force its output.

There are two functions that are bundled with PHP that can perform hashing using a specified algorithm.

The first hashing function is crypt(), which natively supports several hashing algorithms. When using this function, you are guaranteed that the algorithm you select is available, as PHP contains native implementations of each supported algorithm, in case one or more are not supported by your system.

The second hashing function is hash(), which supports many more algorithms and variants than crypt(), but does not support some algorithms that crypt() does. The Hash extension is bundled with PHP, but can be disabled during compile-time, so it is not guaranteed to be available, while crypt() is, being in the PHP core.

The suggested algorithm to use when hashing passwords is Blowfish, as it is significantly more computationally expensive than MD5 or SHA1, while still being scalable.


What is a salt?

A cryptographic salt is data which is applied during the hashing process in order to eliminate the possibility of the output being looked up in a list of pre-calculated pairs of hashes and their input, known as a rainbow table.

In more simple terms, a salt is a bit of additional data which makes your hashes significantly more difficult to crack. There are a number of services online which provide extensive lists of pre-computed hashes, as well as the original input for those hashes. The use of a salt makes it implausible or impossible to find the resulting hash in one of these lists.