simple mysql / hash problem

Jakebert · June 13, 2012

Hi gang! Here's what I'm trying to do:

<?php

// the user has just signed up, as their password is stored in $password
//we hash that

$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); // get 256 random bits in hex
$hash = hash("sha256", $salt . $password); // prepend the salt, then hash
$final = $salt . $hash;

// and then insert their info into the DB

$sql = "INSERT into users ('first', 'last', 'username, 'password', 'email') VALUES ('$first','$last','$username','$final','$email');";
$query = mysql_query($sql) or die(mysql_error());

?>

the error that is coming up is:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''first', 'last', 'username, 'password', 'email') VALUES ('FirstName','LastName','Username','67de' at line 1

Anyone have any inkling as to what the problem could be? Appreciate it! (suggestions on coding structure/hashing are also appreciated)

Pikachu2000 · June 13, 2012

Either that isn't the actual query you're using, or that isn't the actual error message. That query didn't produce that error message. But at any rate, field names don't get enclosed in quotes. If anything, you would use `backticks`. Quotes are for string values.

EDIT: Yes, it probably did. Misread it, my bad!

Jakebert · June 13, 2012

hmmm. well, when i took the single quotes off the field names the error went away, so hooray!

Pikachu2000 · June 13, 2012

I was editing above while you were posting . . .

Jakebert · June 13, 2012

Ha! Well, you were right either way!

While we're on the topic of hashing passwords and SQL queries, can anyone tell me if this is the correct way to verify a password (i.e. login) using the same hash as above? I think i'm misusing substr(), or at least that's what it tells me.

<?php

if($user && $pass) //if they have entered both a username and a password
{
	$sql = "SELECT password FROM users WHERE username='$user'"; //the password is stored as a hash with a salt
	$correctHash = mysql_query($sql) or die(mysql_error());
	$salt = substr($correctHash,0, 64);
	$validHash = substr($correctHash, 64, 64);

	$testHash = hash("sha256", $salt. $pass);

	if ($testHash == $validHash)
	{
		$sql="SELECT id,username FROM users WHERE username='$user'";
		if(mysql_num_rows($query) == 1)

?>

Jakebert · June 13, 2012

Sorry about the double reply! For some reason i can't edit posts anymore :confused:

sql = "SELECT password FROM users WHERE username='$user'";
	$correctHash = mysql_query($sql) or die("Query: $query<br>Error: " . mysql_error());

That returns "Resource id #5". ummmm. yeah. that's definitely not the stored value.

insidus · June 13, 2012

Sorry about the double reply! For some reason i can't edit posts anymore
sql = "SELECT password FROM users WHERE username='$user'";
	$correctHash = mysql_query($sql) or die("Query: $query<br>Error: " . mysql_error());
That returns "Resource id #5". ummmm. yeah. that's definitely not the stored value.

while($row = mysql_fetch_array($correctHash))
{
    echo $row['password'];
}

shlumph · June 13, 2012

You'll need to do the same hash algorithm for logging in as signing up. And if your generating a random salt when the user is signing up, how are you going to log them in without knowing that specific salt for the user?

Edit: Nevermind, I missed that you're prepending the salt to the password.

Jakebert · June 13, 2012

Aha! That worked. Can anyone figure out why this keeps throwing the "incorrect login" info?

This is how I'm hashing the password on registration:

<?php
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); // get 256 random bits in hex
$hash = hash("sha256", $salt . $password); // prepend the salt, then hash
$final = $salt . $hash;?>

And this is how I'm hashing it in the login:

<?php
if($user && $pass)
{
	$sql = "SELECT password FROM users WHERE username='$user'";
	$query = mysql_query($sql) or die("Query: $query<br>Error: " . mysql_error());
	$row = mysql_fetch_array($query);
	$correctHash = $row['password'];		

	$salt = substr($correctHash,0, 64);
	$validHash = substr($correctHash, 64, 64);

	$testHash = hash("sha256", $salt. $pass);

	if ($testHash == $validHash)
	{
		$query="SELECT id,username FROM users WHERE username='$user'";
			$row = mysql_fetch_assoc($query);
			$_SESSION['id'] = $row['id'];
			$_SESSION['username'] = $row['username'];

			echo "<script type='text/javascript'>window.location='home.php'</script>";
	}

		else
			{
				echo "<script type='text/javascript'>
				alert('Username and password combination is incorrect');
				window.location='index.php'</script>";
			}

		}
else
{
	echo "<script type='text/javascript'>
	alert('Please enter a username AND a password');
	window.location='index.php'</script>";
	}

}?>

I'm sure I've mixed up one of the salts or something... gr.

shlumph · June 13, 2012

I think this is what you want:

$correctHash = $row['password']; //This should have the prepended salt, along with the hashed password + salt

$salt = substr($correctHash,0, 64); //If the salt is always 64 chars, then this should be OK

$testHash = $salt . hash("sha256", $salt. $pass); //Should match up with $correctHash

if ($testHash == $correctHash)

However, if it doesn't work, I would suggest echoing out your hashes/salts to debug. It should be easy to identify what's going wrong seeing everything printed out.

Jakebert · June 13, 2012

this is the strangest thing.

<?php
$sql = "SELECT password FROM users WHERE username='$user'";
	$query = mysql_query($sql) or die("Query: $query<br>Error: " . mysql_error());
	$rows = mysql_fetch_array($query);
	$correctHash = $rows['password'];		
	echo $correctHash . "<br />";
	$salt = substr($correctHash,0, 64);
	echo $salt. "<br />";
	$testHash = $salt . hash("sha256", $salt. $pass);
	echo $testHash. "<br />";
	if ($testHash == $correctHash)
?>

And the results of the echoes are:

7c3396065c8e7758f8afdeb57c53349e // $correcthash (password in the DB)
7c3396065c8e7758f8afdeb57c53349e // $salt
7c3396065c8e7758f8afdeb57c53349e1d509fa8ebe0323350b548f76ba0cbf7db8b912deeb0249b4d32a4368b400914 // $testhash (password the user entered)

which means that the SALT and the password in the DB are the same..... what in the name of Valhalla?! :wtf:

Here's how I made the password in the DB.

 <?php 
$salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); // get 256 random bits in hex
$hash = hash("sha256", $salt . $password); // prepend the salt, then hash
$final = $salt . $hash; ?>

shlumph · June 13, 2012

Try printing out $salt, $hash, and $final and see if they are what you expect. In the case for the user above, it should have been:

7c3396065c8e7758f8afdeb57c53349e // $salt
1d509fa8ebe0323350b548f76ba0cbf7db8b912deeb0249b4d32a4368b400914 // $hash
7c3396065c8e7758f8afdeb57c53349e1d509fa8ebe0323350b548f76ba0cbf7db8b912deeb0249b4d32a4368b400914 // $final

It may be that your database column isn't large enough to hold the full $final. Or your $salt is returning null.

Jakebert · June 13, 2012

BRILLIANT! database field was too short. it boggles my mind how you guessed that. You sir, are a gentleman and a scholar.

Sign In

simple mysql / hash problem

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information