Log In with Sha512

[NuMan]

Well i've made a log in box for my users, but i need help making it read passwords encrypted with sha512 from my database, any help? Thanks in advance.

[lemmin]

use hash():

http://www.php.net/manual/en/function.hash.php

hash ("sha512", $password);

[NuMan]

use hash():

http://www.php.net/manual/en/function.hash.php

hash ("sha512", $password);

 

THank you!

[NuMan]

Sorry for the doble reply but code still doesn't work can anyone help me? here's my code:

 

login_do.php:

<?php session_start(); ?>
<title>Logging in...</title>
<?php
include('config.php');

$name = $_POST['username'];
$pass = hash("sha512", $password);
} else {
	$pass = sha1($password);

$query = sprintf("SELECT id, name, password, gm FROM accounts WHERE name='%s' AND password='%s'",
    mysql_real_escape_string($name),
    mysql_real_escape_string($pass));

$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

if( mysql_num_rows($result) != 0 ) { //success
	$_SESSION['login_id'] = $row['id'];
	$_SESSION['login_user'] = $name;
	$_SESSION['login_pass'] = $pass;
	$_SESSION['gm'] = $row['gm'] == 1 ? 1 : 0;
        echo "<center>You're now signed in!</center>";
	exit;
} else {							 //failure
	echo 'You didnt input valid login details.';
}

?>

 

login.php

<form method="post" action="functions/login_do.php">
											<tr>
                                                	<td class=list align=right>Username:</td>
                                                    <td class=list><input type="text" name="username" maxlength="30" /></td>
											</tr>
											<tr>
                                                	<td class=list align=right>Password:</td>
                                                    <td class=list><input type="password" name="password" maxlength="30" /></td>
											</tr>
											<tr>
                                                	<td class=listtitle align="center" colspan=2><input type="image" name="login" value="Login" src="images/submit.gif"></td>
											</tr>
										</form>
									</table>
								    <div align="center">
								      <h3><br />
								          <a href="logout.php"> Logout</a></h3>
								    </div></td>
							</tr>						
						</table>

 

[vicodin]

I really dont think its supported... Try "SHA-512" "SHA512"... The question is do you really need that kind of algo.? You gonna be storing top secert goverment shit?

[vicodin]

Make sure your using PHP5 too.

[NuMan]

I really dont think its supported... Try "SHA-512" "SHA512"... The question is do you really need that kind of algo.? You gonna be storing top secert goverment shit?

 

When i use Sha-512 i get: Unknown hashing algorithm: sha-512 in /home/gamerzba/public_html/kantoms/templates/functions/login_do.php on line 7

You didnt input valid login details or a hacking attempt was detected.

 

And about why, well i had several hacks attempt. And this is the only way that i think they won't get to me x.x

[discomatt]

Nothing wrong with SHA512 if you got the room in your DB.

 

One thing to note

 

	$query = sprintf("SELECT id, name, password, gm FROM accounts WHERE name='%s' AND password='%s'",
    mysql_real_escape_string($name),
    mysql_real_escape_string($pass));

 

Don't escape hashed values. You shouldn't need to, and this could potentially change the data you're comparing. Why isn't it working? Is the data not matching? Are you getting an error?

[vicodin]

try it with all capitals like i have. SHA512

[NuMan]

Nothing wrong with SHA512 if you got the room in your DB.

 

One thing to note

 

	$query = sprintf("SELECT id, name, password, gm FROM accounts WHERE name='%s' AND password='%s'",
    mysql_real_escape_string($name),
    mysql_real_escape_string($pass));

 

Don't escape hashed values. You shouldn't need to, and this could potentially change the data you're comparing. Why isn't it working? Is the data not matching? Are you getting an error?

 

I am getting: 'You didnt input valid login details.'; even though i am putting in the right details, if you need my config.php here it is:

 

<?php
$host['naam'] = 'IP';                // my host
$host['gebruikersnaam'] = 'username';       // my database username
$host['wachtwoord'] = 'pass';   // my database password
$host['databasenaam'] = 'database';       // my database name

$db = mysql_connect($host['naam'], $host['gebruikersnaam'], $host['wachtwoord']) OR die ('Cant connect to the database');
mysql_select_db($host['databasenaam'], $db);

 

[discomatt]

Do some debugging.

 

	$query = sprintf("SELECT id, name, password, gm FROM accounts WHERE name='%s'",
    mysql_real_escape_string($name));

$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

if( mysql_num_rows($result) != 0 ) { //success
	echo 'You logged in using ' . $user . ' : ' . $pass . '<br>';
	echo 'The expected data is ' . $row['name'] . ' : ' . $row['password'];
	exit;
} else {							 //failure
	echo 'You didnt input valid username.';
}

 

Should help you figure out whats going wrong.

[NuMan]

here's the result:

You logged in using : cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

The expected data is Mario : 018f891224985c9994d588d22f46222180708314d8bc1ee8679bec79c934fb5e2543fe9fb3c8f6377d30118a1353dc4879071f244033d29b5d1a6ea986935398

 

That means its not reading the passwords right?

[discomatt]

it means the password was stored incorrectly in the first place. Try throwing

 

cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

 

Into the 'password' field in your db.

[NuMan]

it means the password was stored incorrectly in the first place. Try throwing

 

cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

 

Into the 'password' field in your db.

 

You logged in using : cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

The expected data is Mario : cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

 

When i use my normal one: it says: You have sucessfully logged on.

[discomatt]

Perfect, now run your original script

[NuMan]

Perfect, now run your original script

 

Well it worked... but thats not the correct information. >_>

see my password was mario3641192

the Sha512 of that is: 90ed8c0851e2ba10f057251e5a02ed0a967da19de3a9ff60ff9d0022bd78a0272cdb87e041eae809294f0969ba5619529dc33582091a7ae169f42eebf920328f

not the one i put in. Could it be because my db is also mixed with salt?

[discomatt]

Well, there you go... you gotta use the same function to check your passwords that you use to store... salt included.

 

Dealing with salts is a bit different though.

 

You have to select the password, where username=username.... extract the salt from the stored password, hash it with and append it to the password submitted, then compare the raw password from the database to the one you generated.

[NuMan]

i tried this:

if(isset($db_salt)){

$pass = hash('sha512', $password . $db_salt);

} else {

$pass = sha1($password);

}

still didn't work

[DarkWater]

Do you salt the beginning or the end in your registration script?

[NuMan]

My registration script does not do salt, the salt is applied when at their 1st log in. When they register, a Sha1 password is apply and when they log in the 1st time their pass is automatically changed to sha512 + salt.

[discomatt]

Here's a salt function I use

 

<?php

$pw = 'testing!';

$hashed = makeHash( $pw );

echo "$pw hashed and salted returns $hashed <br>";

if (  makeHash( 'testing!', $hashed )  )
echo 'Comparison checked out!';
else
echo 'Comparison failed!';


function makeHash( $pw, $compare = FALSE ) {

$saltLen = 32; # Length Of the salt
$saltDiv = 12; # Any number less than $saltLen - used to split the salt in half ( even harder to extract )
$algo = 'sha384'; # I chose 384 because 384 + a 128 bit salt = 512 bit string... makes the salting process less apparent to a cracker

if ( !$compare ) {
	$salt = substr(  hash( $algo, uniqid(rand(), true) ), 0, $saltLen  );
	return substr( $salt, 0, $saltDiv ) . hash( $algo, $pw.$salt ) . substr( $salt, $saltDiv );
}

$hashLen = strlen( $compare ) - $saltLen;
$salt = substr( $compare, 0, $saltDiv ) . substr( $compare, $hashLen+$saltLen );

$pwHash = substr( $salt, 0, $saltDiv ) . hash( $algo, $pw.$salt ) . substr( $salt, $saltDiv );
if ( $pwHash = $compare )
	return TRUE;
return FALSE;

}

?>

 

So, when you're creating a user, simply store makeHash( 'theirpassword' ) into the database, and when you want to check if someone is logging in with the right password, you can use something like

 

$r = mysql_query( "SELECT `password`, `access` FROM `users` WHERE `username` = '" . mysql_real_escape_string($_POST['username']) . "' LIMIT 1" );
$data = mysql_fetch_assoc( $r );

if ( makehash($_POST['password'], $data['password']) )
   echo 'Logged in successfully';
else
   echo 'Password didn\'t match!';

[discomatt]

My registration script does not do salt, the salt is applied when at their 1st log in. When they register, a Sha1 password is apply and when they log in the 1st time their pass is automatically changed to sha512 + salt.

 

That is confusing an unnecessary. See my above example. Salt it from the start!