These are some of the features that I use to encrypt passwords and verify passwords. It was interesting if this is a good way to handle this. I am using frameworkignign framework.
This is the "encrypt" function:
function crypt_pass( $input ){
$salt = substr(sha1(date('r')), rand(0, 17), 22);
$cost = 10;
$hash = '$2y$' . $cost . '$' . $salt;
$pw_and_salt['pw'] = crypt($input, "$hash");
$pw_and_salt['salt'] = $salt;
return $pw_and_salt;
}
I store both the password and the salt in my database. Here is the login function:
function login(){
$this->db->select('salt');
$salt = $this->db->get_where('users', array('username' => $this->input->post('username') ) )->row();
$where = array(
'username' => $this->input->post('username'),
'password' => crypt( $this->input->post('password'), '$2y$10$' . $salt->salt),
);
$user = $this->db->get_where('users', $where)->first_row();
if (!$user) {
return FALSE;
}else{
if(!empty($user->activation)){
return 2;
}else if($user && empty($user->activation)){
$this->session->set_userdata('id',$user->id);
$this->session->set_userdata('username',$user->username);
$this->session->set_userdata('first_name',$user->first_name);
return 1;
}
}
}
Am I implementing this correctly? How safe is it?
VERSION 2: DO NOT SAVE THE SALT, CALLING OUT THE PASSWORD IN THE BLOCK INSTEAD OF:
function login(){
$this->db->select('password');
$pw = $this->db->get_where('users', array('username' => $this->input->post('username') ) )->row();
$where = array(
'username' => $this->input->post('username'),
'password' => crypt( $this->input->post('password'), $pw->password),
);
$user = $this->db->get_where('users', $where)->first_row();
if (!$user) {
return FALSE;
}else{
if(!empty($user->activation)){
return 2;
}else if($user && empty($user->activation)){
$this->session->set_userdata('id',$user->id);
$this->session->set_userdata('username',$user->username);
$this->session->set_userdata('first_name',$user->first_name);
return 1;
}
}
}