You could reduce your if/elseif/else to:
if (!$salt) {
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
} elseif (strlen($salt) !== 64) {
log_message('info', 'Supplied password to process_password() was not the correct 64-byte length.');
return false;
}
You already know that $salt is truthy since you check in the if part, so all you care about is that it's valid (length 64).
A way to further improve this would be to use a standard password hashing library instead of using PHP's built in hash function use a standard password hashing library instead of using PHP's built in hash function. For example, yours has a major potential problem: It's way too fast. With enough hardware, an attacker could just brute force any short passwords.
You could reduce your if/elseif/else to:
if (!$salt) {
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
} elseif (strlen($salt) !== 64) {
log_message('info', 'Supplied password to process_password() was not the correct 64-byte length.');
return false;
}
You already know that $salt is truthy since you check in the if part, so all you care about is that it's valid (length 64).
A way to further improve this would be to use a standard password hashing library instead of using PHP's built in hash function. For example, yours has a major potential problem: It's way too fast. With enough hardware, an attacker could just brute force any short passwords.
You could reduce your if/elseif/else to:
if (!$salt) {
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
} elseif (strlen($salt) !== 64) {
log_message('info', 'Supplied password to process_password() was not the correct 64-byte length.');
return false;
}
You already know that $salt is truthy since you check in the if part, so all you care about is that it's valid (length 64).
A way to further improve this would be to use a standard password hashing library instead of using PHP's built in hash function. For example, yours has a major potential problem: It's way too fast. With enough hardware, an attacker could just brute force any short passwords.
You could reduce your if/elseif/else to:
if (!$salt) {
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
} elseif (strlen($salt) !== 64) {
log_message('info', 'Supplied password to process_password() was not the correct 64-byte length.');
return false;
}
You already know that $salt is truthy since you check in the if part, so all you care about is that it's valid (length 64).
A way to further improve this would be to use a standard password hashing library instead of using PHP's built in hash function. For example, yours has a major potential problem: It's way too fast. With enough hardware, an attacker could just brute force any short passwords.