[SOLVED] Check a hash value in a query

[limitphp]

I'm running a query:

mysql_query("UPDATE user SET verified = 1 WHERE hash('md5',username.$salt) = '$usernameHash'") or die (mysql_error());

 

I'm trying to see if the usernameHash equals the username in the user table.

 

Will this query work?

Can you put a hash in a mysql_query?  The column name in the user table is username.

[Brian W]

mysql_query("UPDATE user SET verified = 1 WHERE hash('md5',username.$salt) = '$usernameHash'") or die (mysql_error());

if anything would look like this

mysql_query("UPDATE user SET verified = 1 WHERE 14c4b06b824ec593239362517f538b29 = '$usernameHash'") or die (mysql_error());

possibly:

$usernameHash = md5($username.$salt);
mysql_query("UPDATE user SET verified = 1 WHERE username = '$usernameHash'") or die (mysql_error());

 

???

[limitphp]

Yeah, $usernameHash already looks like 14c4b06b824ec593239362517f538b29.

 

Problem is, username in the table user does not look like that.

 

So when I do a query, I need the username in the user table to look like that.

[gevans]

Why don't you jsut not has the post password keep $hashPassword s whatever it was unhashed

[Brian W]

you store the username in plain text in the db, right?

why not query it in plain text?

it may take a second longer to process, but you query the users table, get all of the usernames, and run a loop where you hash the username from the db and match it to the username you are trying to find. if !=, move on to the next one. When you get the one ==, use that one to make your sessions or whatever.

[limitphp]

Yes.  I store the username in plain text in the db.

 

I send them a link after they register with their hashed username and a uniquID.

 

I then check it against their hashed username and uniquID I have in a table.

If it matches, I update their info in the user table...I set the verify column to 1.

 

But yuo see, all I have is their usernameHash.

 

So i need to check their usernameHash against their username in the table somehow.

 

You can't

UPDATE user SET verified = 1 WHERE hash('md5',username.$salt) = '$usernameHash'") or die (mysql_error());

 

I thought you could......maybe UPDATE user SET verified = 1 WHERE md5(username.$salt) = '$usernameHash'") or die (mysql_error());

[Brian W]

...

what?

[gevans]

Personally (this isn't necessarily helping you) I would use a GUID not a hashed username or such.

 

So you'd need one more field in your table, something like verify_guid

 

The email link would look something like verify?id=6B6BDDA6-C86B-11DD-8489-AE5355D89593

 

Then check that against your database

[Brian W]

can I ask simply why you want to hash the username?

[limitphp]

can I ask simply why you want to hash the username?

 

simply for extra security.

 

I create a md5(uniquID.$salt) and a md5(username.$salt).

Both are sent to user's email as querystrings.

 

I figure it'll be more difficult to guess both. 

 

When they click on the link, it takes them to a page...and the page checks BOTH querystrings against the values of both in a table.

 

Once they match, I update the user's info and set verified to 1.

[limitphp]

I guess what I'll do is after they successfully register , I'll send 3 things to the temp table that has their verificationID....

a verificationID, hashed username and a regular username.

Then I can just grab the unhashed username from the table and use that to match the user's info and update their profile.

[gevans]

That would work, but a GUID is a 'standard' way of doing this GUID = 'Globally Unique Identifier' it's all in the name

[Brian W]

I usually make it so that when they register, if makes a random string then hashes it. sends them an email with that string in their URL query string. I use the string as one field in a table with other fields like username, password, email, ect...

when they go to the page (something like confirm.php?regisr=14c4b06b824ec593239362517f538b29)

it queries the table in whatever field you set  to the random string. If the query returns a row, use the row to make a user and give them a pretty "Welcome" message. The likeliness of someone guessing a randomly created md5 is less then their chance of getting struck by lightening if they walked around in every lightening storm for a year carrying a 10foot metal pole. lol

This is pretty damn secure i'd say cuz this is how major sites like myspace do it.

[gevans]

That's basically a UUID, the older brother of GUID

[Brian W]

That would work, but a GUID is a 'standard' way of doing this GUID = 'Globally Unique Identifier' it's all in the name

I don't think it is all in the name... please explain what it does compared to "UUID". much appreciated, gevans.

[gevans]

When I said it's all in the name, I was talking with regards to using it as a unique identifier to identify a registered user in the verification process

 

As far as what they do goes, there is no difference, the only difference is in the name

 

Globally Unique Identifier

Universally Unique Identifier

 

They both produce a 128 bit number, normally presented in the following hexadecimal - grouped form

 

6B6BDDA6-C86B-11DD-8489-AE5355D89593

 

[Brian W]

oh, i see. thanks for the info, gevans.

[limitphp]

That would work, but a GUID is a 'standard' way of doing this GUID = 'Globally Unique Identifier' it's all in the name

 

Everything is already written, is there a bg difference in GUID compared to md5(unqiuID.$salt)?

 

is 128 bit going to be 32 chacaters long?  just curious....

 

[gevans]

As far as them being unique not really, that will work fine!!