Validating/signing in with password singed up with after sha1 hash/salt

RalphLeMouf · January 25, 2011

Hi, I am limbo with this one. What I have makes sense to me, but I know I'm missing something or doing something wrong

I have been able to hash passwords with salt by new people registering to my site by doing this:

if(!$error) {

	$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
	$rand = str_shuffle($alpha);
	$salt = substr($rand,0,40);
	$hashed_password = sha1($salt . $_POST['password']);

	$query = "INSERT INTO `cysticUsers` (
								`FirstName`,
								`LastName`,
								`Email`,
								`Password`,
								`salt`,
								`RelationshipToCF`,
								`State`,
								`Gender`,
								`Birthday`,
								`Status`
							)VALUES(
								'" . mysql_real_escape_string($_POST['firstName']) . "',
								'" . mysql_real_escape_string($_POST['lastName']) . "',
								'" . mysql_real_escape_string($_POST['email']) . "',
								'" . $hashed_password . "',
								'" . $salt . "',
								'" . mysql_real_escape_string($_POST['RelationToCF']) . "',
								'" . mysql_real_escape_string($_POST['State']) . "',
								'" . mysql_real_escape_string($_POST['sex']) . "',
								'" . mysql_real_escape_string($_POST['DateOfBirth_Year'] . "-" . $_POST['DateOfBirth_Month'] . "-" . $_POST['DateOfBirth_Day']) . "',
								'pending'
							)";
	mysql_query($query, $connection);

I have been able to to update EXISTING users passwords by doing this:

$query = "SELECT * FROM `cysticUsers`";
	$request = mysql_query($query,$connection);


	while($result = mysql_fetch_array($request)) {


	$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
	$rand = str_shuffle($alpha);
	$salt = substr($rand,0,40);
	$hashed_password = sha1($salt . $result['Password']);
	$user = $result['id'];


	$query2 = "UPDATE `cysticUsers` SET `salt` = '$salt' WHERE `id` = '$user'";
	$request2 = mysql_query($query2,$connection) or die(mysql_error());


	$query3 = "UPDATE `cysticUsers` SET `encrypted_passwords` = '$hashed_password' WHERE `id` = '$user'";
	$request3 = mysql_query($query3,$connection) or die(mysql_error());

	}

Now, I want to be able to SIGN BACK IN with the existing password and I am failing miserably by doing this:

$query = "SELECT `salt`,`id`,`email`,`password` FROM `cysticUsers` WHERE `Email` = '" . $email . "' AND `Password` = '" . $password . "'  && `Status` = 'active' LIMIT 1";
$request = mysql_query($query,$connection) or die(mysql_error());

$email = mysql_real_escape_string($_POST['email']);
$password = mysql_real_escape_string($_POST['password']);


if(@mysql_num_rows($request)) {

	$row = mysql_fetch_assoc($request);
	if (sha1($row['salt'] . $_POST['password']) === $row['Password']) {


	$_SESSION['CLIFE']['AUTH'] = true;
	$_SESSION['CLIFE']['ID'] = $result['id'];

	// UPDATE LAST ACTIVITY FOR USER
	$query = "UPDATE `cysticUsers` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1";
	mysql_query($query,$connection);

	if(!empty($_POST['return'])) {
		header("Location: " . $_POST['return']);

	}else{
		header("Location: CysticLife-Dashboard.php?id=" . $_SESSION['CLIFE']['ID']);
		}
	}

}else{

	$_SESSION['CLIFE']['AUTH'] = false;
	$_SESSION['CLIFE']['ID'] = false;

}
}

I've been scouring resources and am stuck on this. I have a deadline to meet that I am behind on. Needless to say I'm pulling my hair out and some help with this would be GREATLY appreciated.

Thank you in advance!

Skylight_lady · January 26, 2011

why are u using 3 "=" ?

if (sha1($row['salt'] . $_POST['password']) === $row['Password']) {

My mistake. Its allowed .... but has a different meaning. New to me.

Pikachu2000 · January 26, 2011

== checks if values are equal

=== checks if values are identical

comparison operators

KevinM1 · January 26, 2011

Shouldn't it be

"SELECT ... `Password`... "

??

Your db columns are lowercase in your query, but you capitalize it in your if-conditional. Looks like a simple typo to me.

RalphLeMouf · January 26, 2011

Good eye, thanks. The $_POST syntax is password and in the db it's Password for example.

I still can't sign in :-[

RalphLeMouf · January 26, 2011

besides the mix-up of caps. does anyone know if this is close or should I try a different method all together?

Skylight_lady · January 26, 2011

Can you update your code so we can see the changes. There was more than one place where the caps had to be changed. especially in:

`email` ...... WHERE `Email`

an updated code will help.

jaikob · January 26, 2011

Are you trying to allow a user to log back in with the old password after they have changed it? If so you are executing a new query, and in turn the query is returning the new password, so your if statement is not going to validate the old password == new password.

RalphLeMouf · January 26, 2011

Thanks so much for lending a hand you guy's

@jaikob - I have updated EXISTING passwords by hashing and salting them, and from here on out, when new users signs up hashing and salt their password right off the bat. So to answer your question. Via my third code chunk, I am trying to allow a user to sign in with the password they signed up with even though its hashed and salted and not in clear text any longer. make sense?

@Skylight_lady - Here is the updated version:

The query that is run to hash the newly signing up users password and storing their individual salt that is hashing it:

if(!$error) {

	$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
	$rand = str_shuffle($alpha);
	$salt = substr($rand,0,40);
	$hashed_password = sha1($salt . $_POST['password']);

	$query = "INSERT INTO `cysticUsers` (
								`FirstName`,
								`LastName`,
								`Email`,
								`Password`,
								`salt`,
								`RelationshipToCF`,
								`State`,
								`Gender`,
								`Birthday`,
								`Status`
							)VALUES(
								'" . mysql_real_escape_string($_POST['firstName']) . "',
								'" . mysql_real_escape_string($_POST['lastName']) . "',
								'" . mysql_real_escape_string($_POST['email']) . "',
								'" . $hashed_password . "',
								'" . $salt . "',
								'" . mysql_real_escape_string($_POST['RelationToCF']) . "',
								'" . mysql_real_escape_string($_POST['State']) . "',
								'" . mysql_real_escape_string($_POST['sex']) . "',
								'" . mysql_real_escape_string($_POST['DateOfBirth_Year'] . "-" . $_POST['DateOfBirth_Month'] . "-" . $_POST['DateOfBirth_Day']) . "',
								'pending'
							)";
	mysql_query($query, $connection);

The query that updates users un-hashed passwords to hashed with some salt for good measure:

/* 1: find all the users in the database */
	$query = "SELECT * FROM `cysticUsers`";
	$request = mysql_query($query,$connection);

	/* 2: loop through each user :done */
	while($result = mysql_fetch_array($request)) {

	/* 3:create a random salt, save random salt to user's row */
	$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
	$rand = str_shuffle($alpha);
	$salt = substr($rand,0,40);
	$hashed_password = sha1($salt . $result['Password']);
	$user = $result['id'];

	/* 4: use user's random salt to hash user's original password */
	$query2 = "UPDATE `cysticUsers` SET `salt` = '$salt' WHERE `id` = '$user'";
	$request2 = mysql_query($query2,$connection) or die(mysql_error());

	/* 5: save the hashed version to their row */
	$query3 = "UPDATE `cysticUsers` SET `encrypted_passwords` = '$hashed_password' WHERE `id` = '$user'";
	$request3 = mysql_query($query3,$connection) or die(mysql_error());

	}

And finally the query in question that you want to see the syntax and I can't get to work:

if(isset($_POST['subSignIn']) && !empty($_POST['email']) && !empty($_POST['password'])) {


$query = "SELECT `salt`,`id`,`Email`,`Password` FROM `cysticUsers` WHERE `Email` = '" . $email . "' AND `Password` = '" . $password . "'  && `Status` = 'active' LIMIT 1";
$request = mysql_query($query,$connection) or die(mysql_error());

if(@mysql_num_rows($request)) {

	$row = mysql_fetch_assoc($request);
	if (sha1($row['salt'] . $_POST['password']) === $row['Password']) {


	$_SESSION['CLIFE']['AUTH'] = true;
	$_SESSION['CLIFE']['ID'] = $result['id'];

	// UPDATE LAST ACTIVITY FOR USER
	$query = "UPDATE `cysticUsers` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1";
	mysql_query($query,$connection);

	if(!empty($_POST['return'])) {
		header("Location: " . $_POST['return']);

	}else{
		header("Location: CysticLife-Dashboard.php?id=" . $_SESSION['CLIFE']['ID']);
		}
	}

}else{

	$_SESSION['CLIFE']['AUTH'] = false;
	$_SESSION['CLIFE']['ID'] = false;

}
}

DavidAM · January 27, 2011

You will need to take the password out of the WHERE clause. Since you have now hashed them, the password they typed (which is in clear text) will not match the "password" in the database (which is actually a hash of the original password).

Take the "password = ..." out of the WHERE clause and check it in PHP (which you are already doing). Your problem is that no rows are being returned by the query.

RalphLeMouf · January 27, 2011

@DavidAM - thanks so much for taking the time to help me figure this out.

So how do I return the rows? or are you saying that just taking the `password` out of the WHERE clause along with what I already have will solve my problem? p.s. - took the "where `Email` = $email" out because I don't have a use for that variable anymore.

So your saying to try this?:

i

f(isset($_POST['subSignIn']) && !empty($_POST['email']) && !empty($_POST['password'])) {


$query = "SELECT `salt`,`id`,`Email`,`Password` FROM `cysticUsers` WHERE `Status` = 'active' LIMIT 1";
$request = mysql_query($query,$connection) or die(mysql_error());

$request = mysql_query($query,$connection) or die(mysql_error());

if(@mysql_num_rows($request)) {

	$row = mysql_fetch_assoc($request);
	if (sha1($row['salt'] . $_POST['password']) === $row['Password']) {


	$_SESSION['CLIFE']['AUTH'] = true;
	$_SESSION['CLIFE']['ID'] = $result['id'];

	// UPDATE LAST ACTIVITY FOR USER
	$query = "UPDATE `cysticUsers` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1";
	mysql_query($query,$connection);

	if(!empty($_POST['return'])) {
		header("Location: " . $_POST['return']);

	}else{
		header("Location: CysticLife-Dashboard.php?id=" . $_SESSION['CLIFE']['ID']);
		}
	}

}else{

	$_SESSION['CLIFE']['AUTH'] = false;
	$_SESSION['CLIFE']['ID'] = false;

}
}

DavidAM · January 27, 2011

How is the user identifying themselves to your login script? It looked like you had them type their EMail and Password. In that case, you find the record with that EMail address, and compare the (already hashed) password from the database against a hash of the password they entered.

RalphLeMouf · January 27, 2011

I'm still learning php, so thanks for bearing with me - so your saying I need to hash the $_POST['password'] when they are signing in to this page to compare it with the hashed pw in the db? oh duh, that makes sense. I guess it will be the same if the same salt and hash forumla is used that I used to hash it in the first place?

RalphLeMouf · January 27, 2011

and they are entering in the same cleartext password that was originally used so it should be the same

Pikachu2000 · January 27, 2011

and they are entering in the same cleartext password that was originally used so it should be the same

However, aren't you storing the unique salt in the database as well?

RalphLeMouf · January 27, 2011

@Pikachu2000 - indeed i am.

Pikachu2000 · January 27, 2011

Unless I'm misunderstanding what you're trying to do, you won't be able to select the record using the password initially, since you need to have the salt to do that. You'll need to select the user's record based on their email address, then after the record is retrieved you'll have the salt so you can check the submitted password as well. If that's what you were intending to do, then forget that I even opened my trap . . .

RalphLeMouf · January 27, 2011

what do you mean by record? like their `id` and other stuff in their row in the db?

and to clarify what I'm trying to do:

sign in with the clear text password that has been signed up with but is now hashed and has a unique salt

Pikachu2000 · January 27, 2011

By record I mean the record in the database associated with the user.

PFMaBiSmAd · January 27, 2011

Actually you could do this in the query by using msyql CONCAT() to get the `salt` column and the entered $_POST['password'] and then use mysql SHA1() function and compare the result with the `password` column.

RalphLeMouf · January 27, 2011

@PFMaBiSmAd - I am not familiar with those functions or in which context to execute them. Is it possible for them to be meshed into my existing query or would I have to write a whole new query all together? I would prefer to salvage what I already have. I feel like I'm pretty close. Could you maybe give me a more in context example as to what you are trying to suggest?

PFMaBiSmAd · January 27, 2011

Should work -

$query = "SELECT id FROM cysticUsers WHERE Email = '$email' AND Password = SHA1(CONCAT(salt,'$password')) AND Status = 'active' LIMIT 1";

RalphLeMouf · January 27, 2011

@PFMaBiSmAd - First off. Thanks so much for your time. I'm a newbie and have been struggling to get this and am behind on a deadline by a few days so thanks a lot for working with me

Your code snippet logically makes a whole lot of sense and think it could work. I am just wondering if it will go with what I have after it or do I need to change what goes after it to make everything work? and also being a newbie, having trouble with the syntax of it. should salt be `salt` in the CONCAT brackets? this is what I have:

$query = "SELECT `id` FROM `cysticUsers` WHERE `Email` = '$email' AND `Password` = 'SHA1(CONCAT(`salt`,'$password'))' AND Status = 'active' LIMIT 1";
$request = mysql_query($query,$connection) or die(mysql_error());

if(@mysql_num_rows($request)) {

	$row = mysql_fetch_assoc($request);
	if (sha1($row['salt'] . $_POST['password']) === $row['Password']) {


	$_SESSION['CLIFE']['AUTH'] = true;
	$_SESSION['CLIFE']['ID'] = $result['id'];

	// UPDATE LAST ACTIVITY FOR USER
	$query = "UPDATE `cysticUsers` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1";
	mysql_query($query,$connection);

	if(!empty($_POST['return'])) {
		header("Location: " . $_POST['return']);

	}else{
		header("Location: CysticLife-Dashboard.php?id=" . $_SESSION['CLIFE']['ID']);
		}
	}

}else{

	$_SESSION['CLIFE']['AUTH'] = false;
	$_SESSION['CLIFE']['ID'] = false;

}
}

?>

PFMaBiSmAd · January 27, 2011

The query that was posted is valid mysql and should have worked as is.

RalphLeMouf · January 27, 2011

gotcha. Unfortunately this is not working? thanks for your time though!

Sign In

Validating/signing in with password singed up with after sha1 hash/salt

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information