First off, what is hashing? In short terms, hashing is a method of encrypting data into what appears to be an illegible string. There are various forms of hashing, the most popular of which in PHP is MD5. MD5 is an open source hashing algorithm that is widely implemented today. Other hashing algorithms include the SHA series and the UNIX DES cryp, as well as many others.
Why should we use hashing? We should hash any data that we do not wish to be viewed by anybody who accesses the database. This could be anyone from normal day to day users who maintain the database to hackers who managed to get your table contents using SQL injection. With a successful hash, the individual who accesses the hashed field will be unable to reverse the string to its original form. This leads to more secure data. One of the main uses of hashing that you'll be implementing on a day to day basis involves the hashing of user passwords. That is what we'll be focused on in this tutorial.
As we'll see, hashing is extremely easy in PHP and can improve your data security by leaps and bounds.
One of the more widely used hashing algorithms is MD5. It was developed by Professor Ronald L. Rivest from MIT in 1991. It is a 128-bit encryption algorithm that hashes data into a 32 digit hexadecimal number. More information can be found here. If you are feeling extremely adventurous you can also check out the source code for the MD5 algorithm here.
Lets say that we wanted to encrypt a user's password after the account was generated, and then insert it into our database. We would simply call the md5() function like so:
<?php $password = $_POST['password']; $hash = md5($password); ?>
We could then input the hashed result into our database. When the user logs on, we simply have to hash the password that was entered, compare it against the hashed password in the database, and allow the user to continue if the hashes matched.
The same technique above could be used for hashing with the SHA hash. There are 5 different SHA functions, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. We will be using SHA1 for this tutorial. The SHA (Secure Hash Algorithm) was developed by the NSA. To read more just check out the wikipedia article.
We'll use the same technique above for hashing, but this time we'll use the sha1() function. The resulting code is.
<?php $password = $_POST['password']; $hash = sha1($password); ?>
That's all you need to do for SHA1 hashing.
The final hash function that I have to discuss is the crypt() function, which is based on the standard Unix DES-based encryption algorithm. The PHP Manual has a great write up on the function. For fear of becoming redundant, here is our code.
<?php $password = $_POST['password']; $hash = crypt($hash); ?>
When reading about hash techniques you may have come across a term known as 'salting'. Salting your hash is a great way of adding that extra layer of security to your passwords. In a nutshell, all you do when you hash is mix in random data with the password before hashing. One easy way of doing this is to simply concatenate your password with your salt. You want your salt to be random, so don't use any actual words. Typically you would hold your salt in a separate file and include it, but for demonstration's sake we're just going to put the variable in the same script.
<?php $salt = "4lkc745"; $password = $_POST['password']; $password .= $salt; // You could also do $password = $salt . $password if you want your salt in front $hash = md5($password); ?>
Important: If you salt your database, make sure that you include the salt when you check against a users login as well. Otherwise the hashes won't match. Also, and this is probably even more important, do not change your salt once everything's been hashed. You will not be able to recover your hashes if you change the salt and forget what it's supposed to be. You will have to go back and reset every password, which won't lead to happy customers.
We've covered several topics with this tutorial. This is a pretty hot topic and I'm sure people feel very strongly about which encryption technique is best. I would love to hear everybody's opinion. As usual, comments and corrections are welcome. Finally, I leave you with a sample piece of code that takes a string, uses all 3 hashes, then salts it and displays the hashes again. This way you could see how varied the hashes are. Take care.
<?php $string = "I love to Dream In Code"; echo "Normal: " . $string . "<br><br>"; echo "MD5: " . md5($string) . "<br>"; echo "SHA1: " . sha1($string) . "<br>"; echo "crypt: " . crypt($string) . "<br><br>"; $salt = "kilzoka"; $string = $string . $salt; echo "Salted: " . $string . "<br>"; echo "MD5: " . md5($string) . "<br>"; echo "SHA1: " . sha1($string) . "<br>"; echo "crypt: " . crypt($string) . "<br><br>"; ?>