Hashing and String escaping

[Gyohdon]

Is mysql_real_escape_string still needed after hashing a password?Surely a hashed string can't start a SQL injection, right?And if not, does it matter in which order you escape string and hash the string? I'm guessing you would first have to hash, then escape it, but I want to make sure.Also, which hash is better, MD5 or SHA1?I read on wikipedia that both of them were 'broken'. Is there a php function for SHA2?Thanks in advance.

[justsomeguy]

It depends on the hash function, but if it only outputs hex or alphanumeric characters then you don't need to escape that. There's no reason to use MD5 for anything, SHA-1 should be fine to use for a lot of things for another few years. You can use this function to run a hash with any supported algorithm:http://www.php.net/manual/en/function.hash.php

[Gyohdon]

It depends on the hash function, but if it only outputs hex or alphanumeric characters then you don't need to escape that. There's no reason to use MD5 for anything, SHA-1 should be fine to use for a lot of things for another few years. You can use this function to run a hash with any supported algorithm:http://www.php.net/manual/en/function.hash.php

So, storing a password like "hash($password,sha512)" and then inserting it in a database is good enough?Because I've been looking up on it and it seems most codes add whole functions to secure their passwords, using 'salts', which I don't know the meaning of.Is that all really important?

[boen_robot]

A "salt" is a random string you append to the originally supplied password before hashing it. It ensures that even if two users use the same password (and therefore would have the same hash without salt), their hashes would be different, and therefore an attacker would have to crack them one by one. For the sake of successful login, you need to store the hash in the DB alongside the hash.sha512 is better, but keep in mind it takes more space, and is not THAT much better currently. A few years from now (after a few more CPU generations) the difference might matter more.

[Fmdpa]

I wouldn't consider using md5 for password storage. I've heard of people cracking it in three days (and by three days, I assume that means their computer was running through a loop for three days). As computers get faster, that three days could become 5 hours. It's just too much of a risk.

[Gyohdon]

Ok, so I have another question regarding hashing.How do I decode a hashed password?Say, someone lost his/her account's password, and I want to send it to him/her. How do I decode the hash so they see their password and not "h5uin6k45n7io4n7oi46nh7io46ionjh8ip6" ?I've used hash("sha512", password) to hash the passwords.

[jeffman]

You do not decode a hash. That's the point. What you do is hash the user's login password using the same technique (including the same salt, if you used a salt). The algorithms are designed to produce the same hash from the same input. So you compare the NEW hash with the STORED hash.

[Gyohdon]

You do not decode a hash. That's the point. What you do is hash the user's login password using the same technique (including the same salt, if you used a salt). The algorithms are designed to produce the same hash from the same input. So you compare the NEW hash with the STORED hash.

Yes, that's to login.However, if someone forget's their password, I wanted to send it to them.But I've looked it up on google now, seems I'll just have to send a random password back at them.

[birbal]

Ok, so I have another question regarding hashing.How do I decode a hashed password?Say, someone lost his/her account's password, and I want to send it to him/her. How do I decode the hash so they see their password and not "h5uin6k45n7io4n7oi46nh7io46ionjh8ip6" ?I've used hash("sha512", password) to hash the passwords.

you dont need to send password..instead of that you gave your user a chance to change their password with new one..i think..

[jeffman]

You have probably joined sites that really do send you a copy of your password when you lose it. They are using bad security. There was no hash involved. They just stored the actual text.You have probably also joined sites that, on request, send a temporary password to the email address you provided when you joined. Only the correct user receives the temp password. If someone pretends to be you, they would also need access to your email to get the new password. So that technique is pretty secure. (Assuming your would-be hacker is not also sitting at your computer!)