CI Registration password encryption

[eluser]GamingFusion[/eluser]
ok, i am making a user system in codeigniter for my own sue and i was wandering, how i would encrypt the passwords of users when they create their account and then be able to change there password after. I have looked at the encryption class, and i'm not sure what encryption i should use for what i want to do, should i use just the standard encoding or use the Sha1, and if you know how i could use it please post a sample script. I want it to be something like smf or mybb

I will tell you that i do have validation on my form using a password and passconf fields and a password database column.

Code:

$this->form_validation->set_rules('password', 'Password', 'required');
        $this->form_validation->set_rules('password', 'Password Confirmation', 'required|matches[password]');

Thanks in advance

[eluser]crispyslice[/eluser]
The best way of doing this is to take a hash (can also be salted for extra security) of the password and put that into the database. When you want to change the password, replace it with the hash of the new password. When logging in, you take the input (username and password) and compare the password the user gave with the hashed password:

Code:

$query = $this->ci->db->query("SELECT * FROM users WHERE username = '" . $user . "' AND password = '" . md5($pass) . "'");
if($query->num_rows() > 0)
{
    // User exists
}
else
{
    // User does not exist
}

As for encryption ($this->encrypt->encode()) against hashing (sha1 or MD5), I would use the hashing. This is because encrypting is reversible, and if an attacker (somehow) got the key, they would be able to get all your users passwords. Hashes are not reversible and so are more secure. Most people seem to prefer sha1 to MD5, but in my experience it doesn't really matter. I think that MD5 is faster than sha1 which is worse because it means a brute force attack can be done faster. You should also count the number of times a user tries to login, to account for these brute force attacks.

ANOTHER thing to try is pre-built authentication libraries (see here). These take all of the authentication stuff away into a nice library with tons of prebuilt functions that are dead easy to use.

Hope this helps, there's a lot of info there and lots to digest! If you have any questions, feel free to post back or you can PM me.

[eluser]GamingFusion[/eluser]
Ok i i get the logic to it but i need a help with actually doing it i don't want people to write it for me, i won't learn that way but a guide to help me with the coding aspect.

[eluser]crispyslice[/eluser]
Thats a good idea, I like your thinking ;-)

Here's a brief checklist of what you need to do:
- Set up a database and table for things like username, password and any other information you want to store (see here)
- Make a form for users to login (like http://example.com/auth/login, see here and here)
- Set up your site so that once a user logs in, he/she stays logged in (see here)

Of course, there are other things that need to be done, such as account registration, password resets, etc. I'd highly recommend looking into a pre-made auth library like the ones I linked to before. It makes things much easier and there's less to do, so its a win-win situation.

[eluser]Dam1an[/eluser]
[quote author="crispyslice" date="1241052337"]
I'd highly recommend looking into a pre-made auth library like the ones I linked to before. It makes things much easier and there's less to do, so its a win-win situation.[/quote]

Also, they've been thouraghly tested by the developer and the community, so less likely to contain nasty bugs

[eluser]GamingFusion[/eluser]
heres what i got already before i posted my conflict, I have a registration form that ask for the username the password twice(and validates that they are the same), the email twice(also checks for the same and valid email address), the country, province/state, city/town(all optional) and it enters it into a database table.

but i need help with the password being hashed or encrypted with he code i have already. I was talking to a guy who has made a site in codeigniter with a user system and what not and he told me to use sha1.

so heres my code

register.php(view)

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
&lt;html &gt;
&lt;head&gt;
&lt;meta http-equiv="Content-Type" content="text/html; charset=utf-8" /&gt;
&lt;title&gt;GamingFusion Registration&lt;/title&gt;
&lt;link rel="stylesheet" type="text/css" href="http://site.gamingfusion.net/css/site.css"&gt;
&lt;/head&gt;
<h1>Registration</h1>(required *)
<br />
<u>&lt;?=validation_errors()?&gt;</u>

&lt;?php    
    $datestring = "%m, %Y";
?&gt;

&lt;?=form_open('site/user_register')?&gt;

&lt;?=form_hidden('user_level', 'user');?&gt;
&lt;?=form_hidden('avatar', 'http://site.gamingfusion.net/assets/avatar/default.png');?&gt;
&lt;?=form_hidden('signup', mdate($datestring));?&gt;

<h4>First Name *</h4>
&lt;input type="text" name="first" value="" size="50" /&gt;

<h4>Last Name *</h4>
&lt;input type="text" name="last" value="" size="50" /&gt;

<h4>Username(Min of 5 Max of 15) *</h4>
&lt;input type="text" name="username" value="" size="50" /&gt;

<h4>Password *</h4>
&lt;input type="password" name="password" value="" size="50" /&gt;

<h4>Password Confirm *</h4>
&lt;input type="password" name="password" value="" size="50" /&gt;

<h4>Email Address(Valid Email) *</h4>
&lt;input type="text" name="email" value="" size="50" /&gt;

<h4>Email Confirm *</h4>
&lt;input type="text" name="email" value="" size="50" /&gt;

<h4>State/Province *</h4>
&lt;input type="text" name="stateprov" value="" size="50" /&gt;

<h4>City *</h4>
&lt;input type="text" name="city" value="" size="50" /&gt;

<h4>Country *</h4>
&lt;input type="text" name="country" value="" size="50" /&gt;

<p>&lt;input type="submit" value="Register" /&gt;&lt;/p>

&lt;/form&gt;

&lt;/body&gt;
&lt;/html&gt;

regsuccess.php(view)

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
&lt;html &gt;
&lt;head&gt;
&lt;meta http-equiv="Content-Type" content="text/html; charset=utf-8" /&gt;
&lt;title&gt;GamingFusion | Registration&lt;/title&gt;
&lt;link rel="stylesheet" type="text/css" href="http://site.gamingfusion.net/css/site.css"&gt;
&lt;/head&gt;
&lt;body&gt;
<p><h1>Registration Success</h1><img src="http://site.gamingfusion.net/assets/success.png" /></p>
<br />
<br />
<p>&lt;?=anchor('/site/login', 'Go to Login');?&gt;

&lt;/body&gt;
&lt;/html&gt;

Controllers that have anything to do with the registration

Code:

function register()
    {
        $data['title'] = "GamingFusion | Registration";
        $data['heading'] = "Register";
        $data['query'] = $this->db->get('users');
        
        $this->load->view('register');
    }
    
    function regsuccess()
    {
        $data['title'] = "GamingFusion | Registration";
        $data['heading'] = "Register Successful";
        $this->load->view('regsuccess');    
    }
    
    function RandString($length = 32, $letters = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM')
      {    
      $s = '';
      $lettersLength = strlen($letters)-1;
    
      for($i = 0 ; $i < $length ; $i++)
      {
      $s .= $letters[rand(0,$lettersLength)];
      }
    
      return $s;
      }
    
    function user_register()
    {
        
        $data['title'] = "GamingFusion | Registration";
        $data['heading'] = "Register Successful";
        $this->load->library('form_validation');
        $this->encrypt->sha1('');
        
        $this->form_validation->set_rules('first', 'First Name', 'required');
        $this->form_validation->set_rules('last', 'First Name', 'required');
        $this->form_validation->set_rules('username', 'Username', 'required|min_length[5]|max_length[15]');
        $this->form_validation->set_rules('password', 'Password', 'required');
        $this->form_validation->set_rules('password', 'Password Confirmation', 'required|matches[password]');
        $this->form_validation->set_rules('email', 'Email', 'required');
        $this->form_validation->set_rules('email', 'Email Confirmation', 'required|valid_email|required|matches[email]');
        $this->form_validation->set_rules('country', 'Country', 'required');

        
        if ($this->form_validation->run() == FALSE)
            {
                $this->load->view('register');
            }
            else
            {
                $this->load->view('regsuccess');
            }
            
        $this->db->query("INSERT INTO users (username, name)
        VALUES (".$this->db->escape($title).", ".$this->db->escape($name).")";);
    }

[eluser]GamingFusion[/eluser]
ok i have initialized the session library and it is using a database table to store the session data. Now i need to now how to get the password to get hashed with Sha1, then how to get the login form i have made to work. please start with the registration stuff first all i need for that is the Hashed with Sha1

[eluser]crispyslice[/eluser]
If I'm honest about it, it looks like there's quite a lot wrong with that code. 8-/

The randstring function is in the wrong place - it should be in either a library or a helper, because at the moment, people can go to example.com/register/randstring. You shouldnt even need to make your own random string function, as there's one already in the string helper (see here). If you're looking for a captcha, checkout the captcha plugin in /plugins.
-
Because the database query is outside your if statement, you're going to be inserting data regardless of whether the form is valid or not.
-

Code:

$this->encrypt->sha1('')

will do absolutely nothing except waste CPU cycles. You need to tell it to hash something and you need to assign it to a variable (although thats not strictly true) like this:

Code:

$password_hash = $this->encrypt->sha1($inputted_password);

-
You shouldn't be using direct database queries in your controllers, so

Code:

$data['query'] = $this->db->get('users');

should become

Code:

$data['query'] = $this->a_database_model_you_made->get_users();

-
You're not passing any data to your views, so any data you want in your views wont get there. You need to modify your view loader to this:

Code:

$data['foo'] = 'bar';
$this->load->view('some_view', $data);

// Then you can get data in your view by using:
<?php echo $foo; ?> // returns 'bar'

-
While it's good to see that you're escaping your database inputs, if possible you should use the ActiveRecord class as it escapes the inputs for you and allows for better compatibility with databases other than MySQL. Also, it makes queries easier to read and write (YMMV).
-

Looking at your code, it seems to me that you still have a lot to learn about how to design CodeIgniter applications. I think that you'd be better off using a pre-built auth library like I've said before. It decreases the learning curve significantly, and it'll also get your app done much quicker.