Hooo Posted August 20, 2009 Share Posted August 20, 2009 So I have decided to use Salt + md5 encryption for passwords, and it works when the signup happens. The password is then encrypted. However, I can't login with the password the user chose, I can however log in with the encrypted code, 394kj40jirji, or whatever lol. Is there anything I have to use apart from: $salt = 's+(_a*'; $salt_pass = md5($pword.$salt); Obviously salt_pass is sent to the mysql table. That is all I have changed, what am I missing? Thanks. Link to comment https://forums.phpfreaks.com/topic/171222-salt-md5-encryption/ Share on other sites More sharing options...
corbin Posted August 20, 2009 Share Posted August 20, 2009 When ever comparing the data submitted to the value in the database, make sure to hash it in EXACTLY the same manner. Link to comment https://forums.phpfreaks.com/topic/171222-salt-md5-encryption/#findComment-902919 Share on other sites More sharing options...
Hooo Posted August 20, 2009 Author Share Posted August 20, 2009 Will show the two files with the hashing involved. I have done as you say, however giving me the "Wrong username" error. It won't even let me login using the actual hashs either. The signup insert page: <?php include 'config.php'; include 'opendb.php'; $uname = $_POST["uname"]; $pword = $_POST["pword"]; $pword1 = $_POST["pword1"]; $jmail = $_POST["email"]; $age = $_POST["age"]; $chkname = mysql_query("SELECT * FROM Users WHERE usname='$uname'"); $salt = 's+(_a*'; $salt_pass = md5($pword.$salt); if(mysql_num_rows($chkname) > 0 ) { echo "Username already in use"; } else { if ($pword != $pword1) { echo "The two passwords do not match"; } else { $sql="INSERT INTO Users (usname, userpass, useremail, userage) VALUES ('$uname','$salt_pass','$jmail','$age')"; if (!mysql_query($sql)) { die('Error: ' . mysql_error()); } ?> <html> <body> Registation Successful!<br /><br /> You may now <a href="index.php">login!</a> </body> </html> <?php } } include 'closedb.php'; ?> and the login check: <?php session_start(); include 'config.php'; include 'opendb.php'; $tbl_name= 'Users'; $myusername=$_POST['usname']; $mypassword=$_POST['userpass']; $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $salt = 's+(_a*'; $salt_pass = md5($mypassword.$salt); $sql="SELECT * FROM " .$tbl_name ." WHERE usname='" . $myusername. "' and userpass='".$salt_pass."'"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($count == 1) { $_SESSION['usname'] = $myusername; echo '<meta http-equiv="refresh" content="1;url=main.php">'; } else { echo "Wrong Username or Password"; } include 'closedb.php'; ?> Link to comment https://forums.phpfreaks.com/topic/171222-salt-md5-encryption/#findComment-902934 Share on other sites More sharing options...
vineld Posted August 20, 2009 Share Posted August 20, 2009 Print the values and see if they match. Also, check to see that the password field is long enough to hold the md5 hash. I would use double salts and sha1 instead though. Link to comment https://forums.phpfreaks.com/topic/171222-salt-md5-encryption/#findComment-902946 Share on other sites More sharing options...
Hooo Posted August 20, 2009 Author Share Posted August 20, 2009 Password fields were only 20 long, changed to 40. That was the problem Link to comment https://forums.phpfreaks.com/topic/171222-salt-md5-encryption/#findComment-902954 Share on other sites More sharing options...
Malevolence Posted August 21, 2009 Share Posted August 21, 2009 Sha1 is stronger encryption, yes. Also, it may be worth generating a random salt (short) and then store the salt in the database too. Link to comment https://forums.phpfreaks.com/topic/171222-salt-md5-encryption/#findComment-903044 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.