Security upgrade from mcrypt_create_iv 2020

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: egami, macek, gesf

Post Reply
MistaKistHur88
New php-forum User
New php-forum User
Posts: 21
Joined: Sat Feb 22, 2020 9:18 am

Tue Feb 25, 2020 1:21 am

Whats the best way to upgrade this script to the latest security standards in 2020,
mcrypt_create_iv() is now deprecated & the tutorial that I have been copying login/registration
info from is from 2013. All the other information is great & has helped my learn OOP
very quickly, however the security standards have moved on since then & I am
stuck on episode 14. Comments in the video suggested using bin2hex(16) to replace the old function,
but I'm sure there is a better way. I tried openssl_random_psuedo_bytes(32)
but I don't think my database can handle this information correctly even though i have the
charset/encoding set to utf8mb4_general_ci which should be able to handle nearly all characters.

reading this question: https://stackoverflow.com/questions/412 ... lternative
has left me with more questions than answers & I'm farely
sure all the information contained in here is also out of date

Code: Select all

<?php
  class Hash{
      public static function make($string, $salt =''){
          return hash('sha256', $string, $salt);
      }
      public static function salt($length){             // ::>> mcrypt is now deprecated trying openssl..
                        return openssl_random_psuedo_bytes(16);
       // return mcrypt_create_iv($length);
       // tried bin2hex(32);
      }
      public static function unique(){
          return self::make(uniqid());
      }
  }
found this question also https://stackoverflow.com/questions/204 ... -php-mysql
but again this is over 10 years old. Can anyone add links or docs for what to do in feburary 2020?
Also which algorythm should I be using for the Salt?

Any help or links would be greatly appreciated.

Can't search this forum by date as far as I'm aware so a bit lost until I find other answers.
Answers that I'm looking into or further researching are
PBKDF2, bcrypt or scryp,

interesting Questions to read listed below;
https://crypto.stackexchange.com/questi ... 2-4-in-php
https://crypto.stackexchange.com/questi ... rypto-sign
https://crypto.stackexchange.com/questi ... -algorithm

I've not found an answer yet, But I have got Data to submit to the DB which is a step forwards, however my
Salt is only 4 characters long for some reason? using bin2hex(64);

Also this code block is not producing different results for each iteration, tested in my DB registereing two users with different Names but identical passwords, both Hashes are exactly the same in the DB & as far as I am aware this is undeireable.

The php docs suggest using random_bytes() but i'm farely sure theres gotta be a stronger alternative to this? Can anyone help?

Maybe

Code: Select all

private $_string = s_int(bin2hex(open_ssl_random_psuedo_bytes(128)))
$string = substr($_string,0,32);
Any Suggestions?
User avatar
hyper
php-forum GURU
php-forum GURU
Posts: 979
Joined: Mon Feb 22, 2016 5:52 pm

Tue Feb 25, 2020 11:02 am

Use password_hash to store and password_verify to verify.

run this:-

Code: Select all

<?php

$pwrd='password_hash';

for ($i = 0; $i < 10; $i++){
  echo password_hash($pwrd, PASSWORD_DEFAULT), '<br>';
}
Post Reply