Jump to content

using SHA1 question

silverglade

By silverglade
in PHP Coding Help

 Share

Recommended Posts

silverglade Advanced Member

silverglade

Posted
Posted

Hi, I read how to encrypt a string like a password with sha1, but I don't know how to verify that as being equal to a new variable. Like if they make their password and I store it encrypted as 23ujt89484jfgj848, then they go back to my site and log in, how do I make a check against the encrypted password? please any help greatly appreciated. Thank you. (I store the password in a database.

 

Here is an example of what I know how to do, just encrypting it.

 

$str="mypassword";
sha1($str);

Link to comment
Share on other sites
Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

SHA1 is a hashing algorithm, not encryption. Hashing is a one way street. But to answer your question, you just compare the hash stored in the database against the hash of the entered password. This is the basic logic of the query:

 

SELECT field FROM table WHERE username = '$username' AND password = SHA1('$password')

Link to comment
Share on other sites
gizmola Prolific Member

gizmola

Posted
Posted

In addition to what Pikachu stated, PLEASE use a salt value.  Add a column to the database table that stores the salt value.  A salt can be a phrase or set of characters of your choice.  You could make it something random like:

 

$salt = sha1(time() . 'this is going to help generate my salt' . rand(0, 10000));

 

The important thing is that when you insert the password you're going to store it in the same row in it's own column.

 

Then generate your password hash:

 

$hashpw = sha1($password . $salt);

 

This defeats the use of rainbow tables against the hash values should your user table be compromised, because rather than having a pre-computed table available which can be used to match hashes against, the hacker would have to generate the complete rainbow table FOR EVERY ROW using each individual salt, making it a huge hassle for them.

 

In summary, sha1 is a good way to store passwords, since you aren't really storing the password at all, and it can not be "decrypted".  But you must use a salt!

Link to comment
Share on other sites
silverglade Advanced Member

silverglade

Posted
  • Author
Posted

I am having trouble sha1'ing my password. In the databse it isnt being hashed it is regular. Any help greatly appreciated. I haven't added the salt yet. I don't know how to add the salt with the SQL command to the database yet.

 

$password = mysql_real_escape_string($_POST[password]);

$email = mysql_real_escape_string($_POST[email]);
$password2 = mysql_real_escape_string($_POST[password2]);


		if ($password == $password2)
		{		
		sha1($password);
		sha1($password2);

		$sql="INSERT INTO users (username, password, email, activationkey, status) VALUES ('$username', '$password', '$email', '$activationKey', 'verify')";	 

	     }else { echo "*Passwords do not match!";
         }

if (!mysql_query($sql))

  {

  die('Error: ' . mysql_error());

  }

Link to comment
Share on other sites
Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

No need to escape data that will be hashed. In some cases escaping it can actually cause problems. You weren't assigning the result of the sha1() to the $password variable, so the value was still whatever was in the form field. This is cleaned up and simplified a bit.

 

$email = mysql_real_escape_string($_POST[email]);
if ( $_POST['password'] == $_POST['password2'] ) {
	$password = sha1($_POST['password']);
	$sql="INSERT INTO users (username, password, email, activationkey, status) VALUES ('$username', '$password', '$email', '$activationKey', 'verify')";	 
} else {
	echo "*Passwords do not match!";
}
// Etcetera . . .

Link to comment
Share on other sites
silverglade Advanced Member

silverglade

Posted
  • Author
Posted

HAHAHA Pikachu2000 you are awesome!! I feel like an idiot, but it worked and I learned so I guess thats good, still though, my mistakes are really newb. LOL. Here is a paste of the Database contents in the table. notice the SWEET SWEET hashing! hehe. thank you!

 

Full Texts id status username password email activationkey

 

 

 

 

20 activated derek 9b22752fbfa3ebc91486674f1314e695e378f766 painter1@hotmai 1183105292915673847691554926176169501920873962

 

 

 

21 activated derek2 9a3e61b6bcc8abec08f195526c3132d5a4a98cc0 master 1@hot 16

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.