Hackd O Wow Hackd O Wow - 1 year ago 85
MySQL Question

Bulk Password Hashing PHP-LOGIN PROJECT code

I have the following question / requirement.

My website has 2000 users, however the passwords are stored using Plain text (I know this is super bad). From reading various website blogs, i found that i need to use modern password-hashing and salting. I found php-login.net . They use modern salting / hashing.

I have downloaded the minimal login script which i will implement in my website. I have set up xampp to test locally. When i register a user is hashes the passwords and i can login.

My main requirement is that i want to hash all my current plain text passwords. php login using php password compatibility library.


How can i hash all the plain passwords in database, because i am not going to hash 2000 1 by 1.

I assume i can write a script that will update all records in database using the password library.

Answer Source
// you should put your db connection stuff here

//you create a new column to store hashed passwords. Good idea if
//something goes bad. You should drop the column with the original
// passwords once every thing is ok and done.
$result = mysqli_query(
    'alter table users add column hashed_password varchar(255) not null'

if ($result===FALSE)
// handle error here

$result = mysqli_query($conn, 'select * from users');
if ($result===FALSE)
// handle error here
    while($user = mysqli_fetch_assoc($result)
        // you could use PASSWORD_DEFAULT here but I wouldn't. If in a
        // future migration the default password crypt function changes
        // your system won't work and it will be hard to know why.
        $hashedPassword = password_hash($user['password'], PASSWORD_BCRYPT);
        $result2 = mysqli_query($conn,'update users set hashed_password = \''. mysqli_real_escape_string($hashedPassword) .'\' where id=\''. $user['id'] .'\'');
        if ($result2 === FALSE)
        //handle error here

then you simply check the password in hashed_password column and not the original. If everything goes ok and you can login with no issues you can delete the original passwords column and you are done.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download