Password Hashing in PHP
Storing a password in plain text is incorrect. A hacker-intruder can gain access to your database and steal passwords.
Therefore, usually the login is stored in plain
text, and the password is hashed by a special function
md5, which takes the
password as a parameter and returns its hash, from which
it is impossible to recover the password itself.
Let's, for example, find the hash of some string:
<?php
echo md5('12345'); // outputs '827ccb0eea8a706c4c34a16891f84e7b'
?>
Now we need to rework our registration and our authorization. To start, I would advise clearing the user table, as it currently stores passwords in plain text, but it should store their hashes. Then, when testing the registration, the table will be filled with data in the new format.
Let's now fix our registration so that when saving a new user to the database, not the password is added, but its hash.
The described fix will look something like this:
<?php
$login = $_POST['login'];
$password = md5($_POST['password']); // convert the password to its hash
$query = "INSERT INTO users SET login='$login', password='$password'";
?>
Let's make similar fixes to the authorization:
<?php
$login = $_POST['login'];
$password = md5($_POST['password']); // convert the password to its hash
$query = "SELECT * FROM users WHERE login='$login' AND password='$password'";
?>
Make changes to the registration taking into account hashing, register a couple of new users, make sure they were added to the database with hashed passwords.
Make changes to the authorization taking into account hashing, try to log in under the previously registered users.
