Msg#: 3792412 posted 12:01 pm on Nov 23, 2008 (gmt 0)
I've spent the last few hours writing a login script for my website, but I've been stumped on a problem verifying passwords...
When a user registers, their information is stored in a database. On the login page they enter the username and password, which is then checked against the information held in the database before setting a cookie. Passwords are stored base64 encoded.
Msg#: 3792412 posted 12:18 pm on Nov 23, 2008 (gmt 0)
$pass = mysql_real_escape_string($pass);
That's probably your problem. Slashes won't show up when displayed but they are in the string and will fail comparison. You also don't need to escape a string until you are ready to place it into the db via a mysql call.
Msg#: 3792412 posted 12:24 pm on Nov 23, 2008 (gmt 0)
Thanks, but I took that line out and I still have the same problem. I think earlier I decoded the password from the database instead of encoding the form password, and that worked (if I remember rightly)... If that's the case, why are the two base64_encoded strings not showing to PHP as a match?
EDIT I just tried it again. Using the code below instead works fine, but I can't understand why it should make any difference? Also, since the password will be stored in a cookie I kind of need it encrypted... Maybe I should just add another column in the database for the md5($pass)?
Msg#: 3792412 posted 1:23 pm on Nov 23, 2008 (gmt 0)
I've never saved a raw password in the database, I use base64_encode() so a password can be decoded at a later date for use in a forgot password script when I write one.
As per the edit in my last post, I've added a second column in the database to store an md5 encoded password in addition to the base_64 version. Everything is now working fine, but I'm intrigued as to why PHP fails to match two equal values when they are base64_encoded. Maybe it has something to do with symbols such as "=" at the end of the string?
Msg#: 3792412 posted 2:56 pm on Nov 23, 2008 (gmt 0)
base64_encode does not provide one way encryption something you do need for passwords. You should create a new password for the password-forgotten cases apply a one-way encryption scheme and store the key only in the database, then send the password via email to the original owner from the accounts table.
People won't like it if they know their passwords can be decrypted. Even the md5 is not sufficient by itself, without using some other salt sub-key preferably custom to your site.