How do I use password hashing with PDO to make my code more secure?

Question 1

My code is actually working but it's not at all secure, I don't want to use MD5 as it's not all that secure. I've been looking up password hashing but I'm not sure how I would incorporate it into my code.

Login:

require_once __DIR__.'/config.php';
session_start();

$dbh = new PDO('mysql:host=' . DB_HOST . ';dbname=' . DB_USERNAME, DB_USERNAME, DB_PASSWORD);

$sql = "SELECT * FROM users WHERE username = :u AND password = :p";
$query = $dbh->prepare($sql); // prepare
$params = array(":u" => $_POST['username'], ":p" => $_POST['password']);
$query->execute($params); // execute

$results = $query->fetchAll(); // then fetch


//hash passwords pls

if (count($results) > 0 ){
$firstrow = $results[0];
$_SESSION['username'] = $firstrow['username'];
echo "Hello $username you have successfully logged in";
//header ("location:.php");
}
else{
echo "Login Has Failed";
return;
}

Register:

$dbh = new PDO('mysql:host=' . DB_HOST . ';dbname=' . DB_USERNAME, DB_USERNAME, DB_PASSWORD);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];

$stmt = $dbh->prepare("insert into users set username='".$username."', email='".$email."', password='".$password."' ");
$stmt->execute();
echo "<p>Thank you, you are registered</p>";

Could anyone show me how to incorporate it into the code I have?

Question 2

Just use a library. Seriously. They exist for a reason.

PHP 5.5+: use password_hash()
PHP 5.3.7+: use password-compat (a compatibility pack for above)
All others: use phpass

Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.

$dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

And on login:

$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}

Question 3

The discussion thus far has been about protecting from SQL Injection and Persistent cross site scripting. It sounds like you're on the right track.

Your use of prepared statements is a "best practice" to combat SQL injection.
htmlspecialchars() is a good start to prevent XSS, but you have to escape data in the encoding scheme that is appropriate to where you are outputting data. OWASP has a comprehensive page that discusses this: XSS (Cross Site Scripting) Prevention Cheat Sheet. The short answer: Ensure you are using "the escape syntax for the part of the HTML document you're putting untrusted data into."

Question 4

Essentially the same, but maybe more elegant than adding extra fields: In the default authentication framwork in Django, the password hashes are stored as strings constructed like this:

hashtype$salt$hash

Hashtype is either sha1 or md5, salt is a random string used to salt the raw password and at last comes the hash itself. Example value:

sha1$a1976$a36cc8cbf81742a8fb52e221aaeab48ed7f58ab4

Question 5

You can do that but through some modifications.

launch.json

{
    // Use IntelliSense to learn about possible Node.js debug attributes.
    // Hover to view descriptions of existing attributes.
    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
    "version": "0.2.0",
    "configurations": [
        {
            "type": "node",
            "request": "attach",
            "name": "Attach to Remote",
            "address": "127.0.0.1",
            "port": 9229,
            "localRoot": "${workspaceRoot}",
            "remoteRoot": "/usr/src/app",
            "preLaunchTask": "start_node_compose"
        }
        // {
        //     "type": "node",
        //     "request": "launch",
        //     "name": "Launch Program",
        //     "program": "${workspaceRoot}/index.js"
        // }
    ]
}

As you can see I commented the local launch and made this the first one so it is run on F5. Next we need to define a start_node_compose task

tasks.json

{
    "version": "0.1.0",
    "command": "myCommand",
    "isShellCommand": false,
    "args": [],
    "showOutput": "always",
    "tasks": [
        {
            "taskName": "start_node_compose",
            "showOutput": "always",
            "isBuildCommand": true,
            "command": "/bin/bash",
            "args": [
                "-c",
                "docker-compose -f docker-compose.yml -f docker-compose.debug.yml up -d && sleep 10"
            ]
        }
    ]
}

Then when you run the command using F5 you will be able to hit the breakpoint

Question 6

Mixing two database libraries like this is a bad idea and potentially unsafe.

mysql_real_escape_string() needs an existing, classic mysql_connect() database connection (which it can get character set info from) to be totally safe. The PDO connection will be separate, possibly with different character set settings, ultimately resulting in less security:

A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used.

Use PDO all the way, there's no alternative.

If you don't want to use prepared statements, PDO::quote should be the correct function:

Returns a quoted string that is theoretically safe to pass into an SQL statement.

Note however that even the manual page for that function recommends using prepared statements instead.

How do I use password hashing with PDO to make my code more secure?

Answers

php,mysql,security,pdo,password-hash