The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> Programming Languages
> PHP Development
|
Issue with salting passwords - get different results on login!
Discuss Issue with salting passwords - get different results on login! in the PHP Development forum on Dev Shed.
Issue with salting passwords - get different results on login! PHP Development forum discussing coding practices, tips on PHP, and other PHP-related topics. PHP is an open source scripting language that has taken the web development industry by storm.
|
|
 |
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
March 6th, 2013, 04:11 AM
|
|
Registered User
|
|
Join Date: Jul 2007
Posts: 22
Time spent in forums: 5 h 34 m 23 sec
Reputation Power: 0
|
|
|
Issue with salting passwords - get different results on login!
Hi all.
I have, as a test only, a very basic register/login script that uses sha1 and a salt to store passwords with.
The problem I am having is, well, I can't log in :/ Passwords do not match. Here is a small snippet of the register and login:
Register:
PHP Code:
$salt = time();
IF (ISSET( $_POST['password'] ))
{
$password=sanitize($_POST['password']);
}
$hashed_password = sha1( $password.$salt );
$sql = "INSERT INTO users (username, email, regDate, fname, lname, salt, password) VALUES ('$username', '$email', '$mysql_date', '$fname', '$lname', '$salt', '$hashed_password')";
Login:
PHP Code:
$username = sanitize($_POST['username']);
$password = sanitize($_POST['password']);
$salt = $row['salt'];
$hashed_pass = sha1($password.$salt);
if ($hashed_pass == $row['password'])
{
echo 'Password verified!';
}
else
{
echo 'There was a problem with your user name or password.';
}
So, for registration, I use time() to create a salt. I then use SHA1 to hash $password.$salt and save both the hashed password and the salt to the database.
For logging in, I do pretty much the same thing. I use $salt = $row['salt'] to get the salt from that record, and then SHA1 to hash $password.$salt again and compare the hashes.
As far as I understood this, it should be showing the same hash and logging me in, but unfortunately, it is not. The register hashed password is different than the resulting login hashed password.
Any suggestions as to why it's not working as it should?
|
March 6th, 2013, 04:14 AM
|
|
|
|
q. how do you get the salt out from "that" record.. doesnt make sense... to get to that record what do you do? use username/pass? show us your complete php code as what you are doing doesnt make sense..
|
March 6th, 2013, 04:23 AM
|
|
Registered User
|
|
Join Date: Jul 2007
Posts: 22
Time spent in forums: 5 h 34 m 23 sec
Reputation Power: 0
|
|
Quote: | Originally Posted by paulh1983 q. how do you get the salt out from "that" record.. doesnt make sense... to get to that record what do you do? use username/pass? show us your complete php code as what you are doing doesnt make sense.. |
Ok, on my login form, it asks for username/password, and then posts that to login.php which is as follows:
PHP Code:
<?php
SESSION_START();
include ('includes/db.inc.php');
include ('includes/functions.inc.php');
$username=sanitize($_POST['username']);
$password=sanitize($_POST['password']);
$sql = "SELECT * FROM users WHERE username='$username'";
$result = mysql_query($sql) or die( mysql_error() );
$row = mysql_fetch_assoc($result);
$salt=$row['salt'];
$hashed_pass = sha1($password.$salt);
if ($hashed_pass == $row['password'])
{
echo 'Password verified!';
}
else
{
echo 'There was a problem with your user name or password.';
}
?>
|
March 6th, 2013, 04:56 AM
|
 |
pollyanna
|
|
Join Date: Jul 2012
Location: Germany
|
|
Well, the obvious thing to do is to actually check the values involved and compare them.
For register:
PHP Code:
echo 'PW:<br>';
var_dump($password);
echo 'Salt:<br>';
var_dump($salt);
$hashed_password = sha1( $password.$salt );
echo 'Hash:<br>';
var_dump($hashed_password);
For login:
PHP Code:
echo 'PW:<br>';
var_dump($password);
echo 'Salt:<br>';
var_dump($salt);
$hashed_pass = sha1($password.$salt);
echo 'Calculated hash:<br>';
var_dump($hashed_password);
echo 'Stored hash:<br>';
var_dump($row['password']);
Post the output here.
An obvious problem is that you apply the hashing function to the escaped input rather than the actual input. This makes no sense and forces you to SQL-escape the password whenever you want to do something with it. Do the escaping directly in the query, nowhere else.
By the way, what's the point of this "test"? I mean, you'd never use something like that in real life, so why test it? An actual login system can be written in a few lines.
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
