homepage Welcome to WebmasterWorld Guest from 54.163.91.250
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Password hash doesn't match
Gilead




msg:4395588
 4:15 pm on Dec 8, 2011 (gmt 0)

I am using a sha1 hash to encrypt passwords in my application.
All is fine until someone tries to log in. For whatever reason, it won't let anyone in even if they are typing the correct password. What am I doing wrong? Any suggestions?

for members-
$member_password= mysql_real_escape_string(addcslashes(sha1($_POST[password]), "%_"));
for admins-
$password = mysql_real_escape_string(sha1($_POST['password']));

It happens on both sides of the equation- on the admin side and the member side.

from the login page:
$mypassword=mysql_real_escape_string($_POST['password']);

I changed the password to something else in phpmyadmin and was able to log in just fine, so it has to be somewhere in this process.

Thanks!

 

rocknbil




msg:4395602
 4:32 pm on Dec 8, 2011 (gmt 0)

What happens when you do this?

// Get the database password to match, then

echo "Entered $password, database $db_password";
exit;


Do they match? I suspect not?

View the source in case any characters are hidden by the browser. I suspect addcslashes but that's a wild guess.

eelixduppy




msg:4395605
 4:35 pm on Dec 8, 2011 (gmt 0)

>> addcslashes
This would be the first thing I removed to make things consistent.

How are you comparing the two hashes in the login process? You should be hashing what they type in and comparing it to the hash stored in the database.

Gilead




msg:4395607
 4:46 pm on Dec 8, 2011 (gmt 0)

Unless I did something completely nuts, I added this piece to the login just as it checks the admin table.
$row = mysql_fetch_array($result);
$dbpassword=$row['password'];
echo "Entered Password";
echo $mypassword;
echo '<br />';
echo "Database password";
echo $dbpassword;
the dbpassword is blank!
In phpmyadmin, the password appears in a 40 character string of number and letters.

Do I need to encrypt the input so it matches the one in the database?

Gilead




msg:4395627
 5:03 pm on Dec 8, 2011 (gmt 0)

If I do encrypt it, it works just fine as long as the password has already been encrypted. However not all users, admins included have logged in initially to reset their own passwords. How can I get around this?

eelixduppy




msg:4395629
 5:13 pm on Dec 8, 2011 (gmt 0)

>> Do I need to encrypt the input so it matches the one in the database?
Yes.

>> How can I get around this?
If you are storing their passwords as plain text, you can do an update on that field with the new hash. The difficulty here being how to differentiate between an already hashed password and one that still needs to be hashed.

brotherhood of LAN




msg:4395630
 5:15 pm on Dec 8, 2011 (gmt 0)

Encrypt the passwords as soon as they get into the database.

For existing ones, if your SHA1 method has a fixed length, you can update all the password rows that don't have that length (make a backup first if you try it)

UPDATE table SET password = SHA1(password) WHERE LENGTH(password) != 40

This assumes that anyone with an unencrypted password does not have a password with a 40 character length, or it'll remain unencrypted.

Gilead




msg:4395638
 5:25 pm on Dec 8, 2011 (gmt 0)

I'm really confused now.
The temp password that sent to the user/admin is md5 limited to 8. I wanted something easy for anyone with a temp password.

My problem comes once they login. What is the best way to check for both the full encrypted password and the 8char temp password?
2 database queries? or can I somehow combine them? or doesn't seem to work.

...WHERE member_login='$myusername' and member_password='$mypassword' or '$mytemppassword'";

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved