Jump to content

Working with Hash


Nightasy
Go to solution Solved by mac_gyver,

Recommended Posts

Greetings all,

 

I was trying to learn how to use hash to encrypt my the passwords in my database and that went all fine till I tried to create some log in scripts. The username and password always show as not matching. I'm obviously new to PHP and taking a college course on it right now. This is not an assignment, more just me fooling around trying to learn some things beyond the scope of the course. Here's the code that's not working.

 

I know the problem is on this page here. The actual registration works like a charm and encrypts the password just fine. I just don't understand how to unencrypt that password to check if the user is using the correct password when logging in.

<?php
// This page defines two functions used by the login/logout process.
/* This function determines an absolute URL and redirects the user there.
The function takes one argument: the page to be redirected to.
The argument defaults to index.php.*/
function redirect_user ($page = 'login.php') {

	// Start defining the URL...
	// URL is http:// plus the host name plus the current directory:
	$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);

	// Remove any trailing slashes:
	$url = rtrim($url, '/\\');

	// Add the page:
	$url .= '/' . $page;

	// Redirect the user:
	header("Location: $url");
	exit(); // Quit the script.
} // End of redirect_user( ) function.


/* This function validates the form data (the email address and password).
* If both are present, the database is queried.
* The function requires a database connection.
* The function returns an array of information, including:
* - a TRUE/FALSE variable indicating success
* - an array of either errors or the database result*/
function check_login($connect, $username = '',$password = '') {

$errors = array(); // Initialize error array.

// Validate the email address:
if (empty($username)) {
	$errors[] = 'You forgot to enter your user name.';
	} else {
		$username = mysqli_real_escape_string($connect, trim($username));
		}

// Validate the password:
if (empty($password)) {
	$errors[] = 'You forgot to enter your password.';
	} else {
		$password = mysqli_real_escape_string($connect, trim($password));
		}


if (empty($errors)) { // If everything's OK.
	require ("includes/pwhash.php");
	$pass_hash = PassHash::hash($password);
	
	$q = "SELECT guestid, username FROM memberlist WHERE username='$username' AND password='$pass_hash'";
	$r = @mysqli_query ($connect, $q);
	// Run the query.

	// Check the result:
	if (mysqli_num_rows($r) == 1) {
		// Fetch the record:
		$row = mysqli_fetch_array ($r,MYSQLI_ASSOC);

// Return true and the record:
		return array(true, $row);
		} else {
			// Not a match!
			$errors[] = 'The user name and password entered do not match those on file.';
			}

} // End of empty($errors) IF.

// Return false and the errors:
return array(false, $errors);

} // End of check_login( ) function.

The actual function that created the hash is here.

pwhash.php

<?php
class PassHash {

	// blowfish
	private static $algo = '$2a';

	// cost parameter
	private static $cost = '$10';
	// mainly for internal use
	public static function unique_salt() {
		return substr(sha1(mt_rand()),0,22);
	}

	// this will be used to generate a hash
	public static function hash($password) {

		return crypt($password,
					self::$algo .
					self::$cost .
					'$' . self::unique_salt());

	}
	// this will be used to compare a password against a hash
	public static function check_password($hash, $password) {

		$full_salt = substr($hash, 0, 29);

		$new_hash = crypt($password, $full_salt);

		return ($hash == $new_hash);

	}

}
?>

If anyone is willing to help and needs to see other pages let me know. I'll be happy to post them here. Sheesh, working with hashes makes little sense to me. 8(

 

Regards,

Nightasy

Edited by Nightasy
Link to comment
Share on other sites

  • Solution

your PassHash::hash() method is used to hash the initial password. to test if an entered password matches the stored hashed value, you need to use the check_password() method (kind of why the comment says // this will be used to compare a password against a hash)

 

to do this, your code must run a query that matches the username, then retrieve the `password` column for that username, and use the `password` column value and the entered password as parameters to the check_password() method.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.