#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2007
    Posts
    34
    Rep Power
    8

    Issue with salting passwords - get different results on login!


    Hi all.

    I have, as a test only, a very basic register/login script that uses sha1 and a salt to store passwords with.

    The problem I am having is, well, I can't log in :/ Passwords do not match. Here is a small snippet of the register and login:

    Register:
    PHP Code:
    $salt time();

    IF (ISSET( 
    $_POST['password'] ))
    {
    $password=sanitize($_POST['password']);
    }

    $hashed_password sha1$password.$salt );

    $sql "INSERT INTO users (username, email, regDate, fname, lname, salt, password) VALUES ('$username', '$email', '$mysql_date', '$fname', '$lname', '$salt', '$hashed_password')"
    Login:
    PHP Code:
    $username sanitize($_POST['username']);
    $password sanitize($_POST['password']);
    $salt $row['salt'];

      
    $hashed_pass sha1($password.$salt);
        if (
    $hashed_pass == $row['password']) 
        {
        echo 
    'Password verified!';
        } 
        else 
        {
        echo 
    'There was a problem with your user name or password.';
        } 
    So, for registration, I use time() to create a salt. I then use SHA1 to hash $password.$salt and save both the hashed password and the salt to the database.

    For logging in, I do pretty much the same thing. I use $salt = $row['salt'] to get the salt from that record, and then SHA1 to hash $password.$salt again and compare the hashes.

    As far as I understood this, it should be showing the same hash and logging me in, but unfortunately, it is not. The register hashed password is different than the resulting login hashed password.

    Any suggestions as to why it's not working as it should?
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,987
    Rep Power
    375
    q. how do you get the salt out from "that" record.. doesnt make sense... to get to that record what do you do? use username/pass? show us your complete php code as what you are doing doesnt make sense..
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2007
    Posts
    34
    Rep Power
    8
    Originally Posted by paulh1983
    q. how do you get the salt out from "that" record.. doesnt make sense... to get to that record what do you do? use username/pass? show us your complete php code as what you are doing doesnt make sense..
    Ok, on my login form, it asks for username/password, and then posts that to login.php which is as follows:
    PHP Code:

    <?php
    SESSION_START
    ();
    include (
    'includes/db.inc.php');
    include (
    'includes/functions.inc.php');

      
    $username=sanitize($_POST['username']);
      
    $password=sanitize($_POST['password']);

      
    $sql "SELECT * FROM users WHERE username='$username'";
      
    $result mysql_query($sql) or die( mysql_error() );
      
    $row mysql_fetch_assoc($result);

      
    $salt=$row['salt'];

      
    $hashed_pass sha1($password.$salt);

      if (
    $hashed_pass == $row['password']) 
        {
            echo 
    'Password verified!';
            } 
        else 
        {
            echo 
    'There was a problem with your user name or password.';
            }
    ?>
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Well, the obvious thing to do is to actually check the values involved and compare them.

    For register:
    PHP Code:
    echo 'PW:<br>';
    var_dump($password);
    echo 
    'Salt:<br>';
    var_dump($salt);
    $hashed_password sha1$password.$salt );
    echo 
    'Hash:<br>';
    var_dump($hashed_password); 
    For login:
    PHP Code:
    echo 'PW:<br>';
    var_dump($password);
    echo 
    'Salt:<br>';
    var_dump($salt);
    $hashed_pass sha1($password.$salt);
    echo 
    'Calculated hash:<br>';
    var_dump($hashed_password);
    echo 
    'Stored hash:<br>';
    var_dump($row['password']); 
    Post the output here.

    An obvious problem is that you apply the hashing function to the escaped input rather than the actual input. This makes no sense and forces you to SQL-escape the password whenever you want to do something with it. Do the escaping directly in the query, nowhere else.

    By the way, what's the point of this "test"? I mean, you'd never use something like that in real life, so why test it? An actual login system can be written in a few lines.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo