PHP Security question

Quick question from a PHP noob:

I want to put a password into a mysql db by hashing it first, and then sending the hash.  Is there a security risk here?  I don't know enough about where things are happening (client vs server, etc...) to know.

Of course there's a security risk.

Your post is light on details (because you are an idiot), so I'm going to assume your situation is like that of most beginners and you have a HTML form somewhere, a PHP script that takes the information from that form, hashes it, and passes it on to the MySQL database, and a MySQL database running on the same machine as the webserver.
What's happening when the user inputs his password and presses submit is that his password is travelling over the network in plaintext. It then arrives at the server, where the PHP script hashes it (on the server side, of course) and passes it on to MySQL (without passing over the network, so no security risk there).

What you need to do is use HTTPS, so the information is encrypted as it goes over the network. If you're dealing with a thing where users register and then log in later, you can get away with only using it for the registration step, and using something like client-side (using Javascript) hashing with a cryptographic nonce for the log-in.

If my assumption of your situation is wrong and my advice therefore unhelpful, you have only yourself to blame.

>>1
PHP is insecure.  Don't use it.  This will solve your PHP security issues.

>>2
1. You're right, sorry about the lack of details.  Like I said, I don't know enough to know what's important.  I come from a systems programming background and am trying to learn this stuff.

2.  You answered my every question awesomely!  Seriously, thanks a ton.

3.  I actually am doing this:

quote:
What you need to do is use HTTPS, so the information is encrypted as it goes over the network. If you're dealing with a thing where users register and then log in later, you can get away with only using it for the registration step, and using something like client-side (using Javascript) hashing with a cryptographic nonce for the log-in.

Because it seemed like the best way to do it, I just wasn't sure if the javascript happens client side or server side.  That's my fault for not reading enough, but I was happy just so get something running in XAMPP, that I didn't stop to think if the way I was doing it was "correct".

Thank you!

>>4
https://addons.mozilla.org/en-US/firefox/addon/3829

You, sir, are totally bad ass. Thanks!

>>2
It's not a security risk if it's just a local socket, which is a fairly common case (web server and database server are on the same box).

>>7
Until you have to scale up.

>>8
What, in this economy?