Jump to content


Photo

Working with Hash

encryption

Best Answer mac_gyver, 04 July 2013 - 08:13 PM

your PassHash::hash() method is used to hash the initial password. to test if an entered password matches the stored hashed value, you need to use the check_password() method (kind of why the comment says // this will be used to compare a password against a hash)

 

to do this, your code must run a query that matches the username, then retrieve the `password` column for that username, and use the `password` column value and the entered password as parameters to the check_password() method.

Go to the full post


  • Please log in to reply
2 replies to this topic

#1 Nightasy

Nightasy

    Advanced Member

  • Members
  • PipPipPip
  • 66 posts

Posted 04 July 2013 - 07:56 PM

Greetings all,

 

I was trying to learn how to use hash to encrypt my the passwords in my database and that went all fine till I tried to create some log in scripts. The username and password always show as not matching. I'm obviously new to PHP and taking a college course on it right now. This is not an assignment, more just me fooling around trying to learn some things beyond the scope of the course. Here's the code that's not working.

 

I know the problem is on this page here. The actual registration works like a charm and encrypts the password just fine. I just don't understand how to unencrypt that password to check if the user is using the correct password when logging in.

<?php
// This page defines two functions used by the login/logout process.
/* This function determines an absolute URL and redirects the user there.
The function takes one argument: the page to be redirected to.
The argument defaults to index.php.*/
function redirect_user ($page = 'login.php') {

	// Start defining the URL...
	// URL is http:// plus the host name plus the current directory:
	$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);

	// Remove any trailing slashes:
	$url = rtrim($url, '/\\');

	// Add the page:
	$url .= '/' . $page;

	// Redirect the user:
	header("Location: $url");
	exit(); // Quit the script.
} // End of redirect_user( ) function.


/* This function validates the form data (the email address and password).
* If both are present, the database is queried.
* The function requires a database connection.
* The function returns an array of information, including:
* - a TRUE/FALSE variable indicating success
* - an array of either errors or the database result*/
function check_login($connect, $username = '',$password = '') {

$errors = array(); // Initialize error array.

// Validate the email address:
if (empty($username)) {
	$errors[] = 'You forgot to enter your user name.';
	} else {
		$username = mysqli_real_escape_string($connect, trim($username));
		}

// Validate the password:
if (empty($password)) {
	$errors[] = 'You forgot to enter your password.';
	} else {
		$password = mysqli_real_escape_string($connect, trim($password));
		}


if (empty($errors)) { // If everything's OK.
	require ("includes/pwhash.php");
	$pass_hash = PassHash::hash($password);
	
	$q = "SELECT guestid, username FROM memberlist WHERE username='$username' AND password='$pass_hash'";
	$r = @mysqli_query ($connect, $q);
	// Run the query.

	// Check the result:
	if (mysqli_num_rows($r) == 1) {
		// Fetch the record:
		$row = mysqli_fetch_array ($r,MYSQLI_ASSOC);

// Return true and the record:
		return array(true, $row);
		} else {
			// Not a match!
			$errors[] = 'The user name and password entered do not match those on file.';
			}

} // End of empty($errors) IF.

// Return false and the errors:
return array(false, $errors);

} // End of check_login( ) function.

The actual function that created the hash is here.

pwhash.php

<?php
class PassHash {

	// blowfish
	private static $algo = '$2a';

	// cost parameter
	private static $cost = '$10';
	// mainly for internal use
	public static function unique_salt() {
		return substr(sha1(mt_rand()),0,22);
	}

	// this will be used to generate a hash
	public static function hash($password) {

		return crypt($password,
					self::$algo .
					self::$cost .
					'$' . self::unique_salt());

	}
	// this will be used to compare a password against a hash
	public static function check_password($hash, $password) {

		$full_salt = substr($hash, 0, 29);

		$new_hash = crypt($password, $full_salt);

		return ($hash == $new_hash);

	}

}
?>

If anyone is willing to help and needs to see other pages let me know. I'll be happy to post them here. Sheesh, working with hashes makes little sense to me. 8(

 

Regards,

Nightasy


Edited by Nightasy, 04 July 2013 - 07:58 PM.


#2 mac_gyver

mac_gyver

    Advanced Member

  • Administrators
  • 2,481 posts

Posted 04 July 2013 - 08:13 PM   Best Answer

your PassHash::hash() method is used to hash the initial password. to test if an entered password matches the stored hashed value, you need to use the check_password() method (kind of why the comment says // this will be used to compare a password against a hash)

 

to do this, your code must run a query that matches the username, then retrieve the `password` column for that username, and use the `password` column value and the entered password as parameters to the check_password() method.


multi-purpose programming fool. well written source-code should be self-documenting. well written code should be self-troubleshooting. 


#3 Nightasy

Nightasy

    Advanced Member

  • Members
  • PipPipPip
  • 66 posts

Posted 04 July 2013 - 08:46 PM

@mac_gyver - Thanks a lot. I figured it out as per your feedback and it all works great now.


Edited by Nightasy, 04 July 2013 - 08:52 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com