SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Enthusiast
    Join Date
    Jan 2011
    Posts
    59
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Password hashing problem

    Hi guys,

    I seem to be having an issue using password hashing, ive never used it before and think im missing something obvious but cant see for looking....

    Basically, i add a user from a php form that is then written to mysql database, the user gets added fine with a nonsense looking password. But when i try and log in with that user i re hash the password as i think im supposed to but i seem to get a different hash.

    example code.
    Add User form posts to this php script:

    PHP Code:
    if($_SERVER['REQUEST_METHOD'] == "POST") {
            
    # generate a random salt to use for this account
            
    $salt bin2hex(mcrypt_create_iv(32MCRYPT_DEV_URANDOM));
            
            
    $saltedPW =  $_POST['password'] . $salt;

            
    $hashedPW hash('sha256'$saltedPW);
            
            
    $query "INSERT INTO users (username, password, access, salt) VALUES('" $_POST['username'] . "','" $hashedPW "','" $_POST['access'] . "','" $salt "') ";
            
    $result mysql_query($query) or die(mysql_error());
            if (
    $query) {
                echo 
    $_POST['username']." Successfully Added.";
                }
        } 
    Login form posts to this:
    PHP Code:
    if($_SERVER['REQUEST_METHOD'] == "POST") {
        
        
    $saltQuery "SELECT salt FROM users WHERE username = '" $_POST['username'] . "' ";
        
    $result mysql_query($saltQuery);
        
        
    $row mysql_fetch_assoc($result);
        
    $salt $row['salt'];

        
    $saltedPW =  $_POST['password'] . $salt;
        
        
    $hashedPW hash('sha256'$saltedPW);

        
    $query "SELECT * FROM users WHERE username = '" $_POST['username'] . "' AND password = '"$hashedPW ."' ";
        
    $result mysql_query($query) or die(mysql_error());
        
    $row mysql_fetch_row($result); // get the single row.
        
    $access $row[3]; // display the value.
        
        
    if(mysql_num_rows($result) > 0) {
                .........do 
    stuff here
            
    }
        } 

    Any suggestions where im going wrong?

  2. #2
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,178
    Mentioned
    64 Post(s)
    Tagged
    2 Thread(s)
    Try echoing salt before entering it into the db and then also echoing after retrieving it and ensure they are the same. I have a feeling you salt is being truncated in your db.

  3. #3
    SitePoint Enthusiast
    Join Date
    Jan 2011
    Posts
    59
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Kyle,

    Appreciate the quick response. As always you were spot on. I have stared at the code for so long now that i hadn't noticed the salt was being truncated.

    Thanks again.

  4. #4
    Always A Novice bronze trophy
    K. Wolfe's Avatar
    Join Date
    Nov 2003
    Location
    Columbus, OH
    Posts
    2,178
    Mentioned
    64 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by maanse View Post
    As always you were spot on.
    Definitely not! lol. I'd recommend just running a substr() on your entry to the db to whatever your field size is in case bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)) has a variable output length and may exceed your column size again.

  5. #5
    SitePoint Enthusiast
    Join Date
    Jan 2011
    Posts
    59
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well you've certainly helped me out in the past. That seems like a good suggestion i will add it as soon as possible....

    thanks.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •