Nothadoth Posted August 5, 2012 Share Posted August 5, 2012 I have set up a website for a friend on my own web space. All works fine as he has an admin control panel where he can log in and change what ever he likes. When a user is created for this admin CP, the password is set into the MySQL database using user_password = PASSWORD('$password') This works fine and encrypts it as expected and I am able to login using the password as normal I have now set up his own webspace and exported his database and files to it. Now when I try to login on his new site it does not recognise the password string. Why? All the coding is fine as I have tried changing the password in the database to an unencrypted one and changed the login feature and took the PASSWORD() function away and it works. So it is just that PASSWORD() is not recognising the string that was set on the old site. Quote Link to comment https://forums.phpfreaks.com/topic/266700-password-encryption/ Share on other sites More sharing options...
Nothadoth Posted August 5, 2012 Author Share Posted August 5, 2012 I thought it may have been because of the MySQL version so I ran a MySQL query on the new site with the following: (Username: admin, Password: admin) $sql = "INSERT INTO tbl_user (user_name, user_password, user_regdate) VALUES ('$userName', PASSWORD('$password'), '$config_datetime')"; This returned the password string in the database as: *2470C0C06DEE42FD1618BB99005ADCA Then in the login function it runs the following (and returns "Wrong Username or Password"): if ($userName == '') { $errorMessage = 'You must enter your username'; } else if ($password == '') { $errorMessage = 'You must enter the password'; } else { // check the database and see if the username and password combo do match $sql = "SELECT user_id FROM tbl_user WHERE user_name = '$userName' AND user_password = PASSWORD('$password')"; $result = dbQuery($sql); if (dbNumRows($result) == 1) { $row = dbFetchAssoc($result); $_SESSION['plaincart_user_id'] = $row['user_id']; // log the time when the user last login $sql = "UPDATE tbl_user SET user_last_login = '$config_datetime' WHERE user_id = '{$row['user_id']}'"; dbQuery($sql); // now that the user is verified we move on to the next page // if the user had been in the admin pages before we move to // the last page visited if (isset($_SESSION['login_return_url'])) { header('Location: ' . $_SESSION['login_return_url']); exit; } else { header('Location: index.php'); exit; } } else { $errorMessage = 'Wrong username or password'; } } return $errorMessage; } Im completely confused. If i remove the user_password = PASSWORD('$password') and put the password string from the top of the post in to the Password box then it works fine. So it seams that it is just that the PASSWORD() function is giving the same result on both queries... Quote Link to comment https://forums.phpfreaks.com/topic/266700-password-encryption/#findComment-1366927 Share on other sites More sharing options...
Nothadoth Posted August 5, 2012 Author Share Posted August 5, 2012 I have solved it. The new mysql version used a longer encryption. The password field I was using before was limited to VARCHAR 32 where the new password string was 41 chars long. So i changed it to VARCHAR 50 just in case and it works fine. I also replaced all PASSWORD() functions with SHA1() as I have researched and found that it is a strong encryption. Hope this helps anyone. Quote Link to comment https://forums.phpfreaks.com/topic/266700-password-encryption/#findComment-1366931 Share on other sites More sharing options...
requinix Posted August 5, 2012 Share Posted August 5, 2012 1. SHA1 is not encryption. It is hashing. 2. SHA1 alone is not "strong". Quote Link to comment https://forums.phpfreaks.com/topic/266700-password-encryption/#findComment-1367037 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.