Envision, Create, Share

Welcome to HBGames, a leading amateur game development forum and Discord server. All are welcome, and amongst our ranks you will find experts in their field from all aspects of video game design and development.
Register

PHP - Support with User Encryption and Security

Latest Post

PandoraShock

Member

235
Hello!

Well I'd like to start of by saying I am not new per-say in web development I've been doing it for the past 10 or so years, But I've only recently started dabbling in PHP, Javascript, and JQuery. I've been working on a side project for a long time, pretty much a social platform for programmers to collab on projects or give help/support easier. I watched a few videos recently on security and passwords or how to handle users. So they talked a lot about encryption and verifying someone, so I would like to set up a 3 step verification for my site as well. So what I'm asking is if anyone could point me to the correct learning source for this. I want to have better password encryption, decryption and a verifying factor per-login. For the most part everything I've done in web has been self taught. And I've just been having trouble wrapping my head around how this works. Making someone password in the database random but somehow comparing it to a typed one the user inputs. So yeah please help I was not able to find much on my own. <3

Thanks (with love)
Pandora/azrith001
 
Ellie

Ellie

Staff

762,287
Basically the user's password should never be sent over the Internet. What you can send is an encrypted form of it.

I.e. (pseudocode)


// client side
$encrypted_pass = $password.encrypt
send_to_server($encrypted_pass)

// server side
$encrypted_pass = $password_from_database.encrypt
$sent_pass = blah
if $encrypted_pass == $sent_pass -> continue

To secure it further, you use a salt, which is a password that only the server ever knows, that you use to complicate the encrypted pass. So like this:

// client side
$encrypted_pass = $password.encrypt
send_to_server($encrypted_pass)

// server side
$salt = pd77%^%£igdk
$encrypted_pass = $password_from_database.encrypt
$sent_pass = blah * $salt
if $encrypted_pass == $sent_pass -> continue

You store the password in the database with the salt applied to it, so that if the database is hacked, they still don't get your encrypted password either. So in the server you store $password * $salt.

Some sites will suggest generating a random salt and storing it in the database. Don't do this: it defeats the purpose of a salt, as then everything is in your database. Have your salt in your files and your passwords in your database, then there's an extra barrier.

As for what to encrypt it with: I don't know. MD5 was the standard, but is not actually an encryption method, and is very weak. Doing something like MD5(MD5(MD5(blah))) can help but it's not enough. I dunno what the current standard used is.
 
You must log in or register to reply here.

Share this page

Thank you for viewing

HBGames is a leading amateur video game development forum and Discord server open to all ability levels. Feel free to have a nosey around!

Discord

Join our growing and active Discord server to discuss all aspects of game making in a relaxed environment. Join Us

RPG Maker

  • Support & Help
    •
  • Tutorials
    •
  • Plugins - MZ, MV
    •
  • Scripts - Ace, VX, XP
    •
  • Resources
    •

    Content

  • Our Games
    •
  • Games in Development
    •  Emoji by Twemoji.
    Top