md5 to sha1

[eluser]clintonbeattie[/eluser]
Hi,

I have the code and inserting a static salt at the end as a test, just to check if it is inserted into the database correctly. Only thing is, it isn't. I am still getting only a 32 digit password.

I have increased the password field to varchar(40) added a static salt variable and prepended it to the users password.

Also, is this where I would add the static salt variable? I read somewhere that "This is best stored in a configuration file somewhere." What configuration file? Is there a file in CI to hold info like this?

Code:

function create_member()
    {
        $static_salt = 'YYYY';
        $new_member_insert_data = array(
            'first_name' => $this->input->post('first_name'),
            'last_name' => $this->input->post('last_name'),
            'email_address' => $this->input->post('email_address'),            
            'username' => $this->input->post('username'),
            'password' => md5($this->input->post($static_salt.'password'))                        
        );
        
        $insert = $this->db->insert('membership', $new_member_insert_data);
        return $insert;
    }

Many thanks,
C

[eluser]BrianDHall[/eluser]
You're close:

Code:

function create_member()
    {
        $static_salt = 'YYYY';
        $new_member_insert_data = array(
            'first_name' => $this->input->post('first_name'),
            'last_name' => $this->input->post('last_name'),
            'email_address' => $this->input->post('email_address'),            
            'username' => $this->input->post('username'),
            'password' => md5($this->input->post('password') . $static_salt)                        
        );
        
        $insert = $this->db->insert('membership', $new_member_insert_data);
        return $insert;
    }

You should add the salt before hashing - meaning that it will still end up the same amount of characters in length after hasing. As to config file, you can checkout the config class: http://ellislab.com/codeigniter/user-gui...onfig.html

Personally, I prefer to just do something a bit more dirty - like pop open config.php and put in a constant declaration for something like _SALT_. Yeah, it makes it available everywhere, but what's 1 extra constant among friends?

Note the difference in 30 and 60 characters, unless you have a stunningly large site, is immaterial to such decisions - I'd recommend you just make it the 60 long and use sha1(), with the static salt addition before hashing being just fine.

[eluser]clintonbeattie[/eluser]
Thanks for that. I'll try out the SHA1 with static salt. Easy enough to save, but I may have problems with user login. Will keep you posted. Everyone's been great help!

Say I have this in my main config...

$config['encryption_key'] = "NeO5C88iv7uo09U2E20iJF0iUiz8R9zm";

How do I use this in my controller as a salt hash? Would it be...

$static_salt = $this->config->item('encryption_key'); and how do I know if the salt has been appended since in this example the MD5 limits to 32 characters?


Thanks

[eluser]BrianDHall[/eluser]
How do you know it's been appended? ...well, you don't, really. You just have to check $static_salt before use and make sure it has the value you were expecting.

If you already have passwords stored one way and you want to change it you could do something like:

Code:

$password = 'password';

if ($stored_password == md5($password) || $stored_password == md5($password . $salt) || $stored_password == sha1($password) || $stored_password == sha1($password . salt)

But you know, you don't want to do that if you don't want backwards compatibility for already stored passwords.