[SOLVED] Hash Password Help!

[Cetanu]

So I've tested the code, and it will not work. The problem lies in here:

 

<?php 
$password = $_POST['password'];
$username = $_POST['username'];

function hashPW($password, $username)
{
    return sha1($password.$username);
}
?>

 

This is the login script, which I'm trying to fix.

<?php

include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

include "function.php";
$match = "select id from $table where username = '".$_POST['username']."'
and password = '".hashPW($_POST['password'],$_POST['username'])."';";


$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 

if ($num_rows <= 0) {
echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=log.php>Try again</a>";
exit; 
}
else {
setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "{$_POST['username']}");
header('Location:http://mythscape.freezoka.com/');
die();
}
?>

 

It gives me my error message about not having username and password specified exist....

 

I tried it with  {} and without them in the function script.

 

GOOD NEWS: The existing passwords were hashed and the registration script works. Just the login script is broken.

[Psycho]

You need to be more specific. What is the EXACT error message and what line is it giving the error on?

 

In the first block of code above, why are you defining $password & $username?

 

I did a test and it outputs exactly what I would expect

$_POST['username'] = 'mjdamato';
$_POST['password'] = 'notmyrealpassword';
$table = 'tableName';

function hashPW($password, $username)
{
    return sha1($password.$username);
}

$match = "select id from $table where username = '".$_POST['username']."'
and password = '".hashPW($_POST['password'],$_POST['username'])."';";

echo $match;

// Output:
// select id
// from tableName
// where username = 'mjdamato'
//   and password = '032aefab39a2f2ee2b90891d62fd19edcd220802';

[Cetanu]

There is no error, the page just goes to login.php and is completely blank. The error I was talking about was from the login.php code:

echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=log.php>Try again</a>";

 

I cannot define $_POST['username'] or password as "mjdamato" or "notmyrealpassword" because I want that to be gotten from my MySQL server. I defined $username and $password because they weren't defined in the script...and they're supposed to be, yes? I tried a lot just to get this to grab the hashed password from the server and compare it with the typed password, but it was to no avail.

[Psycho]

I cannot define $_POST['username'] or password as "mjdamato" or "notmyrealpassword" because I want that to be gotten from my MySQL server. I defined $username and $password because they weren't defined in the script...and they're supposed to be, yes? I tried a lot just to get this to grab the hashed password from the server and compare it with the typed password, but it was to no avail.

I'm not suggesting you define the POST values, that was only a test. And, post values do not come from the database, they come from a form post. are you even sure of what your code does?

 

I defined $username and $password because they weren't defined in the script...and they're supposed to be, yes?

No. you pass the values to the function and they are defined within the function.

 

Echo the value of $match to the page to see if the query is being generated as you expect.

[Cetanu]

Well I sort of have an idea what the code's doing, but this is really a learn-as-you-go experience for me. That's what PHP has been so far, and I think I've learned a fair bit. 

 

I'll see what happens when I echo $match.

Thanks.

 

EDIT: It does echo what I want it to!

With this:

<?php

include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

include ("function.php");
$match = "select id from $table where username = '".$_POST['username']."'
and password = '".hashPW($_POST['password'],$_POST['username'])."';";

echo $match;
?>

 

So it would have to be something in here:

...
$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 

if ($num_rows <= 0) {
echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=user_login.php>Try again</a>";
exit; 
}
else {
setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "{$_POST['username']}");
header('Location:http://mythscape.freezoka.com/');
die();
}
?>

 

Right?

[Psycho]

Use this code and run a test. Then post the text displayed

<?php

include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

include ("function.php");
//$match = "select id from $table where username = '".$_POST['username']."'
//and password = '".hashPW($_POST['password'],$_POST['username'])."';";

//Test Query
$match = "select password from $table where username = '".$_POST['username']."'";

$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());

//----BEGIN TEST CODE
$result = mysql_fetch_assoc($qry);
echo "QUERY: {$match}<br />
POSTED VALUES:<br />
- Username: {$_POST['username']}<br />
- Password: {$_POST['password']}<br />
- Hashed Password: " . hashPW($_POST['password'], $_POST['username']) . "<br />";
echo "Database Password: {$_result['password']}";
exit();
//-----END TEST CODE

$num_rows = mysql_num_rows($qry); 

if ($num_rows <= 0) {
echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=user_login.php>Try again</a>";
exit; 
}
else {
setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "{$_POST['username']}");
header('Location:http://mythscape.freezoka.com/');
die();
}

?>

[Cetanu]

Okay:

 

QUERY: select password from users where username = 'Admin'

POSTED VALUES:

- Username: Admin

- Password: ------

- Hashed Password: 89cda54482caa109b5544b204b0ad06a7d57df4e

Database Password:

[Cetanu]

Okay, I found that a variable was improperly defined and then retried it so this is the final after my change:

 

QUERY: select password from users where username = 'Admin'

POSTED VALUES:

- Username: Admin

- Password: ------ [<< I changed it to that, it showed my password]

- Hashed Password: 89cda54482caa1e9b5544b204b0ad06a7d57df4e

Database Password: 89cda54482caa1e9b5544b204b0ad06a

[Psycho]

Check the definition for the password field in the database. I'm guessing you set the length of that field to 32 characters - so the value is getting truncated (i.e. the last 8 characters are getting cut off)!

 

You will need to:

 

1. Restore your backed up database

2. Increase the length of the field in the database to at least 40 characters

3. Rerun the script to hash the current passwords

 

Is "should" all work then. Now aren't you glad you made a backup of the database?!

 

[Cetanu]

Wait, the database field is set to be too short to be hashed? Okay, I can change it. YES I am happy that I backed it up. I'll go do that, thanks

 

I'll pro'ly have one or two more questions.

[Cetanu]

Okay. Thanks a lot to everyone who helped me accomplish this. It's fixed.