Jump to content

simple mysql / hash problem

Jakebert

By Jakebert
in PHP Coding Help

 Share

Recommended Posts

Jakebert Member

Jakebert

Posted
Posted

Hi gang! Here's what I'm trying to do:

 

<?php

// the user has just signed up, as their password is stored in $password
//we hash that

$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); // get 256 random bits in hex
$hash = hash("sha256", $salt . $password); // prepend the salt, then hash
$final = $salt . $hash;

// and then insert their info into the DB

$sql = "INSERT into users ('first', 'last', 'username, 'password', 'email') VALUES ('$first','$last','$username','$final','$email');";
$query = mysql_query($sql) or die(mysql_error());

 

?>

 

the error that is coming up is:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''first', 'last', 'username, 'password', 'email') VALUES ('FirstName','LastName','Username','67de' at line 1

 

Anyone have any inkling as to what the problem could be? Appreciate it! (suggestions on coding structure/hashing are also appreciated) :)

Link to comment
https://forums.phpfreaks.com/topic/264112-simple-mysql-hash-problem/
Share on other sites
Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

Either that isn't the actual query you're using, or that isn't the actual error message. That query didn't produce that error message. But at any rate, field names don't get enclosed in quotes. If anything, you would use `backticks`. Quotes are for string values.

 

EDIT: Yes, it probably did. Misread it, my bad!

Jakebert Member

Jakebert

Posted
  • Author
Posted

Ha! Well, you were right either way!

 

While we're on the topic of hashing passwords and SQL queries, can anyone tell me if this is the correct way to verify a password (i.e. login) using the same hash as above? I think i'm misusing substr(), or at least that's what it tells me.

 

<?php

if($user && $pass) //if they have entered both a username and a password
{
	$sql = "SELECT password FROM users WHERE username='$user'"; //the password is stored as a hash with a salt
	$correctHash = mysql_query($sql) or die(mysql_error());
	$salt = substr($correctHash,0, 64);
	$validHash = substr($correctHash, 64, 64);

	$testHash = hash("sha256", $salt. $pass);

	if ($testHash == $validHash)
	{
		$sql="SELECT id,username FROM users WHERE username='$user'";
		if(mysql_num_rows($query) == 1)

?>

Jakebert Member

Jakebert

Posted
  • Author
Posted

Sorry about the double reply! For some reason i can't edit posts anymore  :confused:

 

sql = "SELECT password FROM users WHERE username='$user'";
	$correctHash = mysql_query($sql) or die("Query: $query<br>Error: " . mysql_error());

 

That returns "Resource id #5". ummmm. yeah. that's definitely not the stored value.

insidus Newbie

insidus

Posted
Posted

Sorry about the double reply! For some reason i can't edit posts anymore  :confused:

 

sql = "SELECT password FROM users WHERE username='$user'";
	$correctHash = mysql_query($sql) or die("Query: $query<br>Error: " . mysql_error());

 

That returns "Resource id #5". ummmm. yeah. that's definitely not the stored value.

 

while($row = mysql_fetch_array($correctHash))
{
    echo $row['password'];
}

shlumph Member

shlumph

Posted
Posted

You'll need to do the same hash algorithm for logging in as signing up. And if your generating a random salt when the user is signing up, how are you going to log them in without knowing that specific salt for the user?

 

Edit: Nevermind, I missed that you're prepending the salt to the password.

Jakebert Member

Jakebert

Posted
  • Author
Posted

Aha! That worked. Can anyone figure out why this keeps throwing the "incorrect login" info?

 

This is how I'm hashing the password on registration:

 

<?php
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); // get 256 random bits in hex
$hash = hash("sha256", $salt . $password); // prepend the salt, then hash
$final = $salt . $hash;?>

 

And this is how I'm hashing it in the login:

 

<?php
if($user && $pass)
{
	$sql = "SELECT password FROM users WHERE username='$user'";
	$query = mysql_query($sql) or die("Query: $query<br>Error: " . mysql_error());
	$row = mysql_fetch_array($query);
	$correctHash = $row['password'];		

	$salt = substr($correctHash,0, 64);
	$validHash = substr($correctHash, 64, 64);

	$testHash = hash("sha256", $salt. $pass);

	if ($testHash == $validHash)
	{
		$query="SELECT id,username FROM users WHERE username='$user'";
			$row = mysql_fetch_assoc($query);
			$_SESSION['id'] = $row['id'];
			$_SESSION['username'] = $row['username'];

			echo "<script type='text/javascript'>window.location='home.php'</script>";
	}

		else
			{
				echo "<script type='text/javascript'>
				alert('Username and password combination is incorrect');
				window.location='index.php'</script>";
			}

		}
else
{
	echo "<script type='text/javascript'>
	alert('Please enter a username AND a password');
	window.location='index.php'</script>";
	}

}?>

 

I'm sure I've mixed up one of the salts or something... gr.

shlumph Member

shlumph

Posted
Posted

I think this is what you want:

$correctHash = $row['password']; //This should have the prepended salt, along with the hashed password + salt

$salt = substr($correctHash,0, 64); //If the salt is always 64 chars, then this should be OK

$testHash = $salt . hash("sha256", $salt. $pass); //Should match up with $correctHash

if ($testHash == $correctHash)

However, if it doesn't work, I would suggest echoing out your hashes/salts to debug.  It should be easy to identify what's going wrong seeing everything printed out.

Jakebert Member

Jakebert

Posted
  • Author
Posted

this is the strangest thing.

 

<?php
$sql = "SELECT password FROM users WHERE username='$user'";
	$query = mysql_query($sql) or die("Query: $query<br>Error: " . mysql_error());
	$rows = mysql_fetch_array($query);
	$correctHash = $rows['password'];		
	echo $correctHash . "<br />";
	$salt = substr($correctHash,0, 64);
	echo $salt. "<br />";
	$testHash = $salt . hash("sha256", $salt. $pass);
	echo $testHash. "<br />";
	if ($testHash == $correctHash)
?>

 

And the results of the echoes are:

 

7c3396065c8e7758f8afdeb57c53349e // $correcthash (password in the DB)
7c3396065c8e7758f8afdeb57c53349e // $salt
7c3396065c8e7758f8afdeb57c53349e1d509fa8ebe0323350b548f76ba0cbf7db8b912deeb0249b4d32a4368b400914 // $testhash (password the user entered)

 

which means that the SALT and the password in the DB are the same..... what in the name of Valhalla?! :wtf:

 

Here's how I made the password in the DB.

 

 <?php 
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); // get 256 random bits in hex
$hash = hash("sha256", $salt . $password); // prepend the salt, then hash
$final = $salt . $hash; ?>

shlumph Member

shlumph

Posted
Posted

Try printing out $salt, $hash, and $final and see if they are what you expect.  In the case for the user above, it should have been:

7c3396065c8e7758f8afdeb57c53349e // $salt
1d509fa8ebe0323350b548f76ba0cbf7db8b912deeb0249b4d32a4368b400914 // $hash
7c3396065c8e7758f8afdeb57c53349e1d509fa8ebe0323350b548f76ba0cbf7db8b912deeb0249b4d32a4368b400914 // $final

 

It may be that your database column isn't large enough to hold the full $final. Or your $salt is returning null.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.