1

I am salting users' passwords with a mysql column which has the type timestamp and default is CURRENT TIMESTAMP.

Both of my timezones for mysql and php are identical.

My problem is this,

 $q = $dbc -> prepare("INSERT INTO accounts (password) VALUES (?)"); $q -> execute(array(hash('sha512', 'somestaticsalt' . $_POST['password'] . time())));

Now as you can see I have to hash with PHP's time function and on the mysql side it is a default timestamp.

Somewhere there must be an overlap because where users' are entering correct information it is still failing to match the hashed password in the database.

I have tried inserting time() into the joined column but it returns at 1970. Also I do not want to save the timestamp as an INT as this isn't the correct thing to do, so what is your thoughts?

Improve this question
8
  • bad idea, salt should be random. Commented Sep 26, 2011 at 3:14
  • No, salt should be UNIQUE, not random, randomness means not unique. Commented Sep 26, 2011 at 3:16
  • both, yours are predictable, that's problem. Commented Sep 26, 2011 at 3:17
  • @pv1 Is there a particular reason you cannot pre-save the time stamp? Commented Sep 26, 2011 at 3:18
  • That is why I also have a static salt. My question was not concerning my security it is concerning the difference in mysql time and php time in one query. Commented Sep 26, 2011 at 3:19

1 Answer 1

Reset to default
5

Your salt really should be random.

A small improvement on your code (you could do a lot better, like use bcrypt or at least some stretching on sha512):

$salt = md5(time() . 'some-other-static-salt'); //more random than time() along. $q = $dbc -> prepare("INSERT INTO accounts (password, salt) VALUES (?, ?)"); $q -> execute(array(hash('sha512', 'somestaticsalt' . $_POST['password'] . $salt), $salt));

Now you're no longer depending on CURRENT_TIMESTAMP returning the same thing as time(), and you've got a better salt.

EDIT: if you insist on doing it your way, look at what mysql returns for that timestamp column. I bet it looks like "Y-m-d H:i:s" and not like a unix timestamp. Of course, you should have been able to figure that out yourself. Assuming that's true, wrap it in strtotime and you might have some success.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Ye I will use your answer, but it is a mystery I why the figures wasn't the same, I was using strtotime(val)... Thanks for your input and reply

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.