Jump to content

Log In with Sha512

NuMan

By NuMan
in PHP Coding Help

 Share

Recommended Posts

NuMan Newbie

NuMan

Posted
  • Author
Posted

Sorry for the doble reply but code still doesn't work can anyone help me? here's my code:

 

login_do.php:

<?php session_start(); ?>
<title>Logging in...</title>
<?php
include('config.php');

$name = $_POST['username'];
$pass = hash("sha512", $password);
} else {
	$pass = sha1($password);

$query = sprintf("SELECT id, name, password, gm FROM accounts WHERE name='%s' AND password='%s'",
    mysql_real_escape_string($name),
    mysql_real_escape_string($pass));

$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

if( mysql_num_rows($result) != 0 ) { //success
	$_SESSION['login_id'] = $row['id'];
	$_SESSION['login_user'] = $name;
	$_SESSION['login_pass'] = $pass;
	$_SESSION['gm'] = $row['gm'] == 1 ? 1 : 0;
        echo "<center>You're now signed in!</center>";
	exit;
} else {							 //failure
	echo 'You didnt input valid login details.';
}

?>

 

login.php

<form method="post" action="functions/login_do.php">
											<tr>
                                                	<td class=list align=right>Username:</td>
                                                    <td class=list><input type="text" name="username" maxlength="30" /></td>
											</tr>
											<tr>
                                                	<td class=list align=right>Password:</td>
                                                    <td class=list><input type="password" name="password" maxlength="30" /></td>
											</tr>
											<tr>
                                                	<td class=listtitle align="center" colspan=2><input type="image" name="login" value="Login" src="images/submit.gif"></td>
											</tr>
										</form>
									</table>
								    <div align="center">
								      <h3><br />
								          <a href="logout.php"> Logout</a></h3>
								    </div></td>
							</tr>						
						</table>

 

Link to comment
Share on other sites
NuMan Newbie

NuMan

Posted
  • Author
Posted

I really dont think its supported... Try "SHA-512" "SHA512"... The question is do you really need that kind of algo.? You gonna be storing top secert goverment shit?

 

When i use Sha-512 i get: Unknown hashing algorithm: sha-512 in /home/gamerzba/public_html/kantoms/templates/functions/login_do.php on line 7

You didnt input valid login details or a hacking attempt was detected.

 

And about why, well i had several hacks attempt. And this is the only way that i think they won't get to me x.x

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

Nothing wrong with SHA512 if you got the room in your DB.

 

One thing to note

 

	$query = sprintf("SELECT id, name, password, gm FROM accounts WHERE name='%s' AND password='%s'",
    mysql_real_escape_string($name),
    mysql_real_escape_string($pass));

 

Don't escape hashed values. You shouldn't need to, and this could potentially change the data you're comparing. Why isn't it working? Is the data not matching? Are you getting an error?

Link to comment
Share on other sites
NuMan Newbie

NuMan

Posted
  • Author
Posted

Nothing wrong with SHA512 if you got the room in your DB.

 

One thing to note

 

	$query = sprintf("SELECT id, name, password, gm FROM accounts WHERE name='%s' AND password='%s'",
    mysql_real_escape_string($name),
    mysql_real_escape_string($pass));

 

Don't escape hashed values. You shouldn't need to, and this could potentially change the data you're comparing. Why isn't it working? Is the data not matching? Are you getting an error?

 

I am getting: 'You didnt input valid login details.'; even though i am putting in the right details, if you need my config.php here it is:

 

<?php
$host['naam'] = 'IP';                // my host
$host['gebruikersnaam'] = 'username';       // my database username
$host['wachtwoord'] = 'pass';   // my database password
$host['databasenaam'] = 'database';       // my database name

$db = mysql_connect($host['naam'], $host['gebruikersnaam'], $host['wachtwoord']) OR die ('Cant connect to the database');
mysql_select_db($host['databasenaam'], $db);

 

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

Do some debugging.

 

	$query = sprintf("SELECT id, name, password, gm FROM accounts WHERE name='%s'",
    mysql_real_escape_string($name));

$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

if( mysql_num_rows($result) != 0 ) { //success
	echo 'You logged in using ' . $user . ' : ' . $pass . '<br>';
	echo 'The expected data is ' . $row['name'] . ' : ' . $row['password'];
	exit;
} else {							 //failure
	echo 'You didnt input valid username.';
}

 

Should help you figure out whats going wrong.

Link to comment
Share on other sites
NuMan Newbie

NuMan

Posted
  • Author
Posted

here's the result:

You logged in using : cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

The expected data is Mario : 018f891224985c9994d588d22f46222180708314d8bc1ee8679bec79c934fb5e2543fe9fb3c8f6377d30118a1353dc4879071f244033d29b5d1a6ea986935398

 

That means its not reading the passwords right?

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

it means the password was stored incorrectly in the first place. Try throwing

 

cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

 

Into the 'password' field in your db.

Link to comment
Share on other sites
NuMan Newbie

NuMan

Posted
  • Author
Posted

it means the password was stored incorrectly in the first place. Try throwing

 

cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

 

Into the 'password' field in your db.

 

You logged in using : cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

The expected data is Mario : cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

 

When i use my normal one: it says: You have sucessfully logged on.

Link to comment
Share on other sites
NuMan Newbie

NuMan

Posted
  • Author
Posted

Perfect, now run your original script :D

 

Well it worked... but thats not the correct information. >_>

see my password was mario3641192

the Sha512 of that is: 90ed8c0851e2ba10f057251e5a02ed0a967da19de3a9ff60ff9d0022bd78a0272cdb87e041eae809294f0969ba5619529dc33582091a7ae169f42eebf920328f

not the one i put in. Could it be because my db is also mixed with salt?

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

Well, there you go... you gotta use the same function to check your passwords that you use to store... salt included.

 

Dealing with salts is a bit different though.

 

You have to select the password, where username=username.... extract the salt from the stored password, hash it with and append it to the password submitted, then compare the raw password from the database to the one you generated.

Link to comment
Share on other sites
NuMan Newbie

NuMan

Posted
  • Author
Posted

My registration script does not do salt, the salt is applied when at their 1st log in. When they register, a Sha1 password is apply and when they log in the 1st time their pass is automatically changed to sha512 + salt.

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

Here's a salt function I use

 

<?php

$pw = 'testing!';

$hashed = makeHash( $pw );

echo "$pw hashed and salted returns $hashed <br>";

if (  makeHash( 'testing!', $hashed )  )
echo 'Comparison checked out!';
else
echo 'Comparison failed!';


function makeHash( $pw, $compare = FALSE ) {

$saltLen = 32; # Length Of the salt
$saltDiv = 12; # Any number less than $saltLen - used to split the salt in half ( even harder to extract )
$algo = 'sha384'; # I chose 384 because 384 + a 128 bit salt = 512 bit string... makes the salting process less apparent to a cracker

if ( !$compare ) {
	$salt = substr(  hash( $algo, uniqid(rand(), true) ), 0, $saltLen  );
	return substr( $salt, 0, $saltDiv ) . hash( $algo, $pw.$salt ) . substr( $salt, $saltDiv );
}

$hashLen = strlen( $compare ) - $saltLen;
$salt = substr( $compare, 0, $saltDiv ) . substr( $compare, $hashLen+$saltLen );

$pwHash = substr( $salt, 0, $saltDiv ) . hash( $algo, $pw.$salt ) . substr( $salt, $saltDiv );
if ( $pwHash = $compare )
	return TRUE;
return FALSE;

}

?>

 

So, when you're creating a user, simply store makeHash( 'theirpassword' ) into the database, and when you want to check if someone is logging in with the right password, you can use something like

 


$r = mysql_query( "SELECT `password`, `access` FROM `users` WHERE `username` = '" . mysql_real_escape_string($_POST['username']) . "' LIMIT 1" );
$data = mysql_fetch_assoc( $r );

if ( makehash($_POST['password'], $data['password']) )
   echo 'Logged in successfully';
else
   echo 'Password didn\'t match!';

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

My registration script does not do salt, the salt is applied when at their 1st log in. When they register, a Sha1 password is apply and when they log in the 1st time their pass is automatically changed to sha512 + salt.

 

That is confusing an unnecessary. See my above example. Salt it from the start!

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.