Jump to content

Validating/signing in with password singed up with after sha1 hash/salt


Recommended Posts

Hi, I am limbo with this one. What I have makes sense to me, but I know I'm missing something or doing something wrong

 

I have been able to hash passwords with salt by new people registering to my site by doing this:

 

if(!$error) {

	$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
	$rand = str_shuffle($alpha);
	$salt = substr($rand,0,40);
	$hashed_password = sha1($salt . $_POST['password']);

	$query = "INSERT INTO `cysticUsers` (
								`FirstName`,
								`LastName`,
								`Email`,
								`Password`,
								`salt`,
								`RelationshipToCF`,
								`State`,
								`Gender`,
								`Birthday`,
								`Status`
							)VALUES(
								'" . mysql_real_escape_string($_POST['firstName']) . "',
								'" . mysql_real_escape_string($_POST['lastName']) . "',
								'" . mysql_real_escape_string($_POST['email']) . "',
								'" . $hashed_password . "',
								'" . $salt . "',
								'" . mysql_real_escape_string($_POST['RelationToCF']) . "',
								'" . mysql_real_escape_string($_POST['State']) . "',
								'" . mysql_real_escape_string($_POST['sex']) . "',
								'" . mysql_real_escape_string($_POST['DateOfBirth_Year'] . "-" . $_POST['DateOfBirth_Month'] . "-" . $_POST['DateOfBirth_Day']) . "',
								'pending'
							)";
	mysql_query($query, $connection);


 

I have been able to to update EXISTING users passwords by doing this:

 

 

$query = "SELECT * FROM `cysticUsers`";
	$request = mysql_query($query,$connection);


	while($result = mysql_fetch_array($request)) {


	$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
	$rand = str_shuffle($alpha);
	$salt = substr($rand,0,40);
	$hashed_password = sha1($salt . $result['Password']);
	$user = $result['id'];


	$query2 = "UPDATE `cysticUsers` SET `salt` = '$salt' WHERE `id` = '$user'";
	$request2 = mysql_query($query2,$connection) or die(mysql_error());


	$query3 = "UPDATE `cysticUsers` SET `encrypted_passwords` = '$hashed_password' WHERE `id` = '$user'";
	$request3 = mysql_query($query3,$connection) or die(mysql_error());

	}

 

Now, I want to be able to SIGN BACK IN with the existing password and I am failing miserably by doing this:

 

$query = "SELECT `salt`,`id`,`email`,`password` FROM `cysticUsers` WHERE `Email` = '" . $email . "' AND `Password` = '" . $password . "'  && `Status` = 'active' LIMIT 1";
$request = mysql_query($query,$connection) or die(mysql_error());

$email = mysql_real_escape_string($_POST['email']);
$password = mysql_real_escape_string($_POST['password']);


if(@mysql_num_rows($request)) {

	$row = mysql_fetch_assoc($request);
	if (sha1($row['salt'] . $_POST['password']) === $row['Password']) {


	$_SESSION['CLIFE']['AUTH'] = true;
	$_SESSION['CLIFE']['ID'] = $result['id'];

	// UPDATE LAST ACTIVITY FOR USER
	$query = "UPDATE `cysticUsers` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1";
	mysql_query($query,$connection);

	if(!empty($_POST['return'])) {
		header("Location: " . $_POST['return']);

	}else{
		header("Location: CysticLife-Dashboard.php?id=" . $_SESSION['CLIFE']['ID']);
		}
	}

}else{

	$_SESSION['CLIFE']['AUTH'] = false;
	$_SESSION['CLIFE']['ID'] = false;

}
}

 

I've been scouring resources and am stuck on this. I have a deadline to meet that I am behind on. Needless to say I'm pulling my hair out and some help with this would be GREATLY appreciated.

 

Thank you in advance!

Are you trying to allow a user to log back in with the old password after they have changed it? If so you are executing a new query, and in turn the query is returning the new password, so your if statement is not going to validate the old password == new password.

Thanks so much for lending a hand you guy's  8)

 

@jaikob - I have updated EXISTING passwords by hashing and salting them, and from here on out, when  new users signs up hashing and salt their password right off the bat. So to answer your question. Via my third code chunk, I am trying to allow a user to sign in with the password they signed up with even though its hashed and salted and not in clear text any longer. make sense?

 

@Skylight_lady - Here is the updated version:

 

The query that is run to hash the newly signing up users password and storing their individual salt that is hashing it:

 

if(!$error) {

	$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
	$rand = str_shuffle($alpha);
	$salt = substr($rand,0,40);
	$hashed_password = sha1($salt . $_POST['password']);

	$query = "INSERT INTO `cysticUsers` (
								`FirstName`,
								`LastName`,
								`Email`,
								`Password`,
								`salt`,
								`RelationshipToCF`,
								`State`,
								`Gender`,
								`Birthday`,
								`Status`
							)VALUES(
								'" . mysql_real_escape_string($_POST['firstName']) . "',
								'" . mysql_real_escape_string($_POST['lastName']) . "',
								'" . mysql_real_escape_string($_POST['email']) . "',
								'" . $hashed_password . "',
								'" . $salt . "',
								'" . mysql_real_escape_string($_POST['RelationToCF']) . "',
								'" . mysql_real_escape_string($_POST['State']) . "',
								'" . mysql_real_escape_string($_POST['sex']) . "',
								'" . mysql_real_escape_string($_POST['DateOfBirth_Year'] . "-" . $_POST['DateOfBirth_Month'] . "-" . $_POST['DateOfBirth_Day']) . "',
								'pending'
							)";
	mysql_query($query, $connection);

 

The query that updates users un-hashed passwords to hashed with some salt for good measure:

 

/* 1: find all the users in the database */
	$query = "SELECT * FROM `cysticUsers`";
	$request = mysql_query($query,$connection);

	/* 2: loop through each user :done */
	while($result = mysql_fetch_array($request)) {

	/* 3:create a random salt, save random salt to user's row */
	$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
	$rand = str_shuffle($alpha);
	$salt = substr($rand,0,40);
	$hashed_password = sha1($salt . $result['Password']);
	$user = $result['id'];

	/* 4: use user's random salt to hash user's original password */
	$query2 = "UPDATE `cysticUsers` SET `salt` = '$salt' WHERE `id` = '$user'";
	$request2 = mysql_query($query2,$connection) or die(mysql_error());

	/* 5: save the hashed version to their row */
	$query3 = "UPDATE `cysticUsers` SET `encrypted_passwords` = '$hashed_password' WHERE `id` = '$user'";
	$request3 = mysql_query($query3,$connection) or die(mysql_error());

	}

 

And finally the query in question that you want to see the syntax and I can't get to work:

 

if(isset($_POST['subSignIn']) && !empty($_POST['email']) && !empty($_POST['password'])) {


$query = "SELECT `salt`,`id`,`Email`,`Password` FROM `cysticUsers` WHERE `Email` = '" . $email . "' AND `Password` = '" . $password . "'  && `Status` = 'active' LIMIT 1";
$request = mysql_query($query,$connection) or die(mysql_error());

if(@mysql_num_rows($request)) {

	$row = mysql_fetch_assoc($request);
	if (sha1($row['salt'] . $_POST['password']) === $row['Password']) {


	$_SESSION['CLIFE']['AUTH'] = true;
	$_SESSION['CLIFE']['ID'] = $result['id'];

	// UPDATE LAST ACTIVITY FOR USER
	$query = "UPDATE `cysticUsers` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1";
	mysql_query($query,$connection);

	if(!empty($_POST['return'])) {
		header("Location: " . $_POST['return']);

	}else{
		header("Location: CysticLife-Dashboard.php?id=" . $_SESSION['CLIFE']['ID']);
		}
	}

}else{

	$_SESSION['CLIFE']['AUTH'] = false;
	$_SESSION['CLIFE']['ID'] = false;

}
}

You will need to take the password out of the WHERE clause. Since you have now hashed them, the password they typed (which is in clear text) will not match the "password" in the database (which is actually a hash of the original password).

 

Take the "password = ..." out of the WHERE clause and check it in PHP (which you are already doing). Your problem is that no rows are being returned by the query.

@DavidAM -  thanks so much for taking the time to help me figure this out.

 

So how do I return the rows? or are you saying that just taking the `password` out of the WHERE clause along with what I already have will solve my problem? p.s. - took the "where `Email` = $email" out because I don't have a use for that variable anymore.

 

So your saying to try this?:

 

 

i

f(isset($_POST['subSignIn']) && !empty($_POST['email']) && !empty($_POST['password'])) {


$query = "SELECT `salt`,`id`,`Email`,`Password` FROM `cysticUsers` WHERE `Status` = 'active' LIMIT 1";
$request = mysql_query($query,$connection) or die(mysql_error());

$request = mysql_query($query,$connection) or die(mysql_error());

if(@mysql_num_rows($request)) {

	$row = mysql_fetch_assoc($request);
	if (sha1($row['salt'] . $_POST['password']) === $row['Password']) {


	$_SESSION['CLIFE']['AUTH'] = true;
	$_SESSION['CLIFE']['ID'] = $result['id'];

	// UPDATE LAST ACTIVITY FOR USER
	$query = "UPDATE `cysticUsers` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1";
	mysql_query($query,$connection);

	if(!empty($_POST['return'])) {
		header("Location: " . $_POST['return']);

	}else{
		header("Location: CysticLife-Dashboard.php?id=" . $_SESSION['CLIFE']['ID']);
		}
	}

}else{

	$_SESSION['CLIFE']['AUTH'] = false;
	$_SESSION['CLIFE']['ID'] = false;

}
}

How is the user identifying themselves to your login script? It looked like you had them type their EMail and Password. In that case, you find the record with that EMail address, and compare the (already hashed) password from the database against a hash of the password they entered.

I'm still learning php, so thanks for bearing with me - so your saying I need to hash the $_POST['password'] when they are signing in to this page to compare it with the hashed pw in the db? oh duh, that makes sense.  I guess it will be the same if the same salt and hash forumla is used that I used to hash it in the first place?

and they are entering in the same cleartext password that was originally used so it should be the same

 

However, aren't you storing the unique salt in the database as well?

Unless I'm misunderstanding what you're trying to do, you won't be able to select the record using the password initially, since you need to have the salt to do that. You'll need to select the user's record based on their email address, then after the record is retrieved you'll have the salt so you can check the submitted password as well. If that's what you were intending to do, then forget that I even opened my trap . . .  :)

what do you mean by record? like their `id` and other stuff in their row in the db?

 

and to clarify what I'm trying to do:

 

sign in with the clear text password that has been signed up with but is now hashed and has a unique salt

Actually you could do this in the query by using msyql CONCAT() to get the `salt` column and the entered $_POST['password'] and then use mysql SHA1() function and compare the result with the `password` column.

@PFMaBiSmAd - I am not familiar with those functions or in which context to execute them. Is it possible for them to be meshed into my existing query or would I have to write a whole new query all together? I would prefer to salvage what I already have. I feel like I'm pretty close.  Could you maybe give me a more in context example as to what you are trying to suggest?

@PFMaBiSmAd - First off. Thanks so much for your time. I'm a newbie and have been struggling to get this and am behind on a deadline by a few days so thanks a lot for working with me :)

 

Your code snippet logically makes a whole lot of sense and think it could work. I am just wondering if it will go with what I have after it or do I need to change what goes after it to make everything work? and also being a newbie, having trouble with the syntax of it. should salt be `salt` in the CONCAT brackets? this is what I have:

 

$query = "SELECT `id` FROM `cysticUsers` WHERE `Email` = '$email' AND `Password` = 'SHA1(CONCAT(`salt`,'$password'))' AND Status = 'active' LIMIT 1";
$request = mysql_query($query,$connection) or die(mysql_error());

if(@mysql_num_rows($request)) {

	$row = mysql_fetch_assoc($request);
	if (sha1($row['salt'] . $_POST['password']) === $row['Password']) {


	$_SESSION['CLIFE']['AUTH'] = true;
	$_SESSION['CLIFE']['ID'] = $result['id'];

	// UPDATE LAST ACTIVITY FOR USER
	$query = "UPDATE `cysticUsers` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1";
	mysql_query($query,$connection);

	if(!empty($_POST['return'])) {
		header("Location: " . $_POST['return']);

	}else{
		header("Location: CysticLife-Dashboard.php?id=" . $_SESSION['CLIFE']['ID']);
		}
	}

}else{

	$_SESSION['CLIFE']['AUTH'] = false;
	$_SESSION['CLIFE']['ID'] = false;

}
}

?>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.