CHAPTER 6 ■ PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS $obj = new Admin($dbo); // Load a hash of the word test and output it $hash1 = $obj-testSaltedHash("test"); echo "Hash 1 without a salt:", $hash1, ""; // Pause execution for a second to get a different timestamp sleep(1); // Load a second hash of the word test $hash2 = $obj-testSaltedHash("test"); echo "Hash 2 without a salt:", $hash2, ""; // Pause execution for a second to get a different timestamp sleep(1); // Rehash the word test with the existing salt $hash3 = $obj-testSaltedHash("test", $hash2); echo "Hash 3. | CHAPTER 6 PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS obj new Admin dbo Load a hash of the word test and output it hash1 obj- testSaltedHash test echo Hash 1 without a salt br hash1 br br Pause execution for a second to get a different timestamp sleep 1 Load a second hash of the word test hash2 obj- testSaltedHash test echo Hash 2 without a salt br hash2 br br Pause execution for a second to get a different timestamp sleep 1 Rehash the word test with the existing salt hash3 obj- testSaltedHash test hash2 echo Hash 3 with the salt from hash 2 br hash3 Note The sleep function delays execution of a script by a given number of seconds passed as its sole argument. You can learn more about this function at http sleep. Your results will not be identical because the timestamp hashes used for the salt will differ however your results should look something like this Hash 1 without a salt 518fd85bb85815af85e88b7c43d892238af9a5ca57758O7 Hash 2 without a salt 93b14e3f42caO9cafc133Ob592669a5dO2e9815bc2f69de Hash 3 with the salt from hash 2 93b14e3f42caO9cafc133Ob592669a5dO2e9815bc2f69de 211 CHAPTER 6 PASSWORD PROTECTION SENSITIVE ACTIONS AND AREAS As you can see hashes of the word test don t match up when passed separately however if you supply an existing salted hash of test the same hash is produced. This way even if two users have the same password their stored hashes will be different making it much more difficult for potential attackers to crack passwords. Note Bear in mind that no algorithm is 100 effective. However using techniques like salted hashes makes it possible to reduce the possibility of an attack significantly. Creating a User to Test Administrative Access In order to test the administrative functions you ll need a username password pair to exist in your users table. For simplicity the username will be testuser the password will be admin and the email address will be admin@. Keep in mind that this is not a secure password it is being used