Sha1 has and strcmp

[zero_ZX]

Hi,

So basically this is error:

  if (strcmp($extuser,$username) == 0 && strcmp($extpass,$password) == 0)

 

extpass is a value it reads from the database. That value is sha1-hashed.

Password is plain and is sent via a form.

 

So what happens is the following:

extuser and username equals 0, as they match. extpass and password matches IF i put the sha1 hashed password as the password.

So no problems in that, it's supposed to work that way.

 

If we change the code a bit, so that the user shouldn't post an unknown password:

  if (strcmp($extuser,$username) == 0 && strcmp($extpass,sha1($password)) == 0)

 

Right, so we take the submitted password and sha1 it. Then check if that new string matches the database and whops, login failed.

 

 

Okay.. by doing some debugging by printing the actual values i conclude this:

The sha1($password) equals 139a8cf8be8..... while in my database all the letters are CaSe. This is most likely the error.. Any ideas for a fix?

[WebStyles]

Why are common hashing functions such as md5() and sha1() unsuitable for passwords?

 

    Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to "brute force" the output of these algorithms, in order to determine the original input.

 

    Because of how quickly a modern computer can "reverse" these hashing algorithms, many security professionals strongly suggest against their use for password hashing.

 

Can you post the script that was used originally to encrypt the password when it was first stored?

[zero_ZX]

I'm only using this on a test basis so i just got the password from here:

http://www.ratajik.com/CreateNetPassword/

I created a quick login script to check if username and the password matches with a sql query.. everything goes through just fine.. :/

 

The quick login script:

$password2 = mysql_real_escape_string($_POST['password']);
$password = sha1($password2); 
$username = mysql_real_escape_string($_POST['username']);

$q = "SELECT * FROM `profiles` "
  ."WHERE `username`='$username' "
  ."AND `password`='$password'"

Rest omitted

 

So I find it strange that this other code wont work as expected :/

[WebStyles]

well there's your answer... that silly website is 'uppercassing' the result.

[zero_ZX]

Okay, well I changed it.. so my debugging now shows:

139a8cf8be8e[omitted]5f53912224

139a8cf8be8e[omitted]5f53912224-1

 

Can any one tell me why it returns -1 and not 0 ? :S

[Pikachu2000]

I'm wondering if all this is really necessary. What are you trying to achieve?

[WebStyles]

add a trim to both before applying strcmp and test again. maybe there's an invisible character somewhere.

[voip03]

zero_ZX ! Can you kindly lets know , What are you trying to achieve?

 

[zero_ZX]

Sorry guys, it was a misunderstading in my group

We changed the code so it became a bit easier to read:

  //if (strcmp($extuser,$username) == 0 && strcmp($extpass,$password) == 0)
  if($extuser == $username && $extpass == sha1($password))

all works flawlessly now..

I still don't get why the other method didn't work though..

 

To answer your question:

I was just trying to check if the usernames and passwords from one databased matched with the info from another.

So, all good