Hooo Posted August 20, 2009 Share Posted August 20, 2009 So I have decided to use Salt + md5 encryption for passwords, and it works when the signup happens. The password is then encrypted. However, I can't login with the password the user chose, I can however log in with the encrypted code, 394kj40jirji, or whatever lol. Is there anything I have to use apart from: $salt = 's+(_a*'; $salt_pass = md5($pword.$salt); Obviously salt_pass is sent to the mysql table. That is all I have changed, what am I missing? Thanks. Quote Link to comment Share on other sites More sharing options...
corbin Posted August 20, 2009 Share Posted August 20, 2009 When ever comparing the data submitted to the value in the database, make sure to hash it in EXACTLY the same manner. Quote Link to comment Share on other sites More sharing options...
Hooo Posted August 20, 2009 Author Share Posted August 20, 2009 Will show the two files with the hashing involved. I have done as you say, however giving me the "Wrong username" error. It won't even let me login using the actual hashs either. The signup insert page: <?php include 'config.php'; include 'opendb.php'; $uname = $_POST["uname"]; $pword = $_POST["pword"]; $pword1 = $_POST["pword1"]; $jmail = $_POST["email"]; $age = $_POST["age"]; $chkname = mysql_query("SELECT * FROM Users WHERE usname='$uname'"); $salt = 's+(_a*'; $salt_pass = md5($pword.$salt); if(mysql_num_rows($chkname) > 0 ) { echo "Username already in use"; } else { if ($pword != $pword1) { echo "The two passwords do not match"; } else { $sql="INSERT INTO Users (usname, userpass, useremail, userage) VALUES ('$uname','$salt_pass','$jmail','$age')"; if (!mysql_query($sql)) { die('Error: ' . mysql_error()); } ?> <html> <body> Registation Successful!<br /><br /> You may now <a href="index.php">login!</a> </body> </html> <?php } } include 'closedb.php'; ?> and the login check: <?php session_start(); include 'config.php'; include 'opendb.php'; $tbl_name= 'Users'; $myusername=$_POST['usname']; $mypassword=$_POST['userpass']; $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $salt = 's+(_a*'; $salt_pass = md5($mypassword.$salt); $sql="SELECT * FROM " .$tbl_name ." WHERE usname='" . $myusername. "' and userpass='".$salt_pass."'"; $result=mysql_query($sql); $count=mysql_num_rows($result); if($count == 1) { $_SESSION['usname'] = $myusername; echo '<meta http-equiv="refresh" content="1;url=main.php">'; } else { echo "Wrong Username or Password"; } include 'closedb.php'; ?> Quote Link to comment Share on other sites More sharing options...
vineld Posted August 20, 2009 Share Posted August 20, 2009 Print the values and see if they match. Also, check to see that the password field is long enough to hold the md5 hash. I would use double salts and sha1 instead though. Quote Link to comment Share on other sites More sharing options...
Hooo Posted August 20, 2009 Author Share Posted August 20, 2009 Password fields were only 20 long, changed to 40. That was the problem Quote Link to comment Share on other sites More sharing options...
Malevolence Posted August 21, 2009 Share Posted August 21, 2009 Sha1 is stronger encryption, yes. Also, it may be worth generating a random salt (short) and then store the salt in the database too. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.