Msg#: 4395586 posted 4:15 pm on Dec 8, 2011 (gmt 0)
I am using a sha1 hash to encrypt passwords in my application. All is fine until someone tries to log in. For whatever reason, it won't let anyone in even if they are typing the correct password. What am I doing wrong? Any suggestions?
for members- $member_password= mysql_real_escape_string(addcslashes(sha1($_POST[password]), "%_")); for admins- $password = mysql_real_escape_string(sha1($_POST['password']));
It happens on both sides of the equation- on the admin side and the member side.
from the login page: $mypassword=mysql_real_escape_string($_POST['password']);
I changed the password to something else in phpmyadmin and was able to log in just fine, so it has to be somewhere in this process.
Msg#: 4395586 posted 4:46 pm on Dec 8, 2011 (gmt 0)
Unless I did something completely nuts, I added this piece to the login just as it checks the admin table. $row = mysql_fetch_array($result); $dbpassword=$row['password']; echo "Entered Password"; echo $mypassword; echo '<br />'; echo "Database password"; echo $dbpassword; the dbpassword is blank! In phpmyadmin, the password appears in a 40 character string of number and letters.
Do I need to encrypt the input so it matches the one in the database?
Msg#: 4395586 posted 5:03 pm on Dec 8, 2011 (gmt 0)
If I do encrypt it, it works just fine as long as the password has already been encrypted. However not all users, admins included have logged in initially to reset their own passwords. How can I get around this?
Msg#: 4395586 posted 5:13 pm on Dec 8, 2011 (gmt 0)
>> Do I need to encrypt the input so it matches the one in the database? Yes.
>> How can I get around this? If you are storing their passwords as plain text, you can do an update on that field with the new hash. The difficulty here being how to differentiate between an already hashed password and one that still needs to be hashed.
Msg#: 4395586 posted 5:25 pm on Dec 8, 2011 (gmt 0)
I'm really confused now. The temp password that sent to the user/admin is md5 limited to 8. I wanted something easy for anyone with a temp password.
My problem comes once they login. What is the best way to check for both the full encrypted password and the 8char temp password? 2 database queries? or can I somehow combine them? or doesn't seem to work.
...WHERE member_login='$myusername' and member_password='$mypassword' or '$mytemppassword'";