Jump to content

Alias.io How To Store Passwords Safely With Php And Mysql Problem


aquatradehub

Recommended Posts

Hi, I am trying to use the

How to store passwords safely with PHP and MySQL

 

script from

 

http://alias.io/2010/01/store-passwords-safely-with-php-and-mysql/

 

but am not having any luck. Here is the script that encrypts the password and writes it to the database:

 

/* Let's prepare the password encryption */
// Create a 256 bit (64 characters) long random salt
// Let's add 'something random' and the username
// to the salt as well for added security
$salt = hash('sha256', uniqid(mt_rand(), true) . 'something random' . strtolower($username));
// Prefix the password with the salt
$hash = $salt . $password1;
// Hash the salted password a bunch of times
for ( $i = 0; $i < 100000; $i ++ ) {
 $hash = hash('sha256', $hash);
}
// Prefix the hash with the salt so we can find it back later
$hash = $salt . $hash;
/* Check no duplicate usernames */
include("../mysql/connect.php");
$con = mysql_connect("$host", "$user", "$pass") or die(mysql_error());
$query = "SELECT COUNT(*) AS count FROM members WHERE username='$username'";
@mysql_select_db("$db") or die( "Unable to select database");
$results = mysql_query($query) or die ("Error reading from database");
$existingUsernames = mysql_fetch_array($results);
if ($existingUsernames['count'] > 0) {
    header('Location: usererror.php');
}
else {
 $con = mysql_connect("$host", "$user", "$pass") or die(mysql_error());
    $query1 = "SELECT COUNT(*) AS count FROM members WHERE email='$email'";
    @mysql_select_db("$db") or die( "Unable to select database");
    $results1 = mysql_query($query1) or die ("Error reading from database");
    $existingEmails = mysql_fetch_array($results1);
    if ($existingEmails['count'] > 0) {
		    header('Location: emailerror.php');
    }
    else {
		    /* Write to MySQL database */
		    $sql="INSERT INTO members (username, hash, firstname, surname, email, address1, address2, town, county, postcode, birthday, birthmonth, birthyear, paypalemail, terms)
		    VALUES ('$_POST[username]','$hash','$_POST[firstname]','$_POST[surname]','$_POST[email]','$_POST[address1]','$_POST[address2]','$_POST[town]','$_POST[county]','$_POST[postcode]','$_POST[birthday]','$_POST[birthmonth]','$_POST[birthyear]','$_POST[paypalemail]','$_POST[terms]')";
		    if (!mysql_query($sql,$con))
		    {
				    die('Error: ' . mysql_error());
		    }

   /* Send validation email */

 

 

Here is my login form

 

<div id="topLogin">
<span>
<form action="/mysql/loginprocess.php" method="POST">
Username:<input size="10" name="username" type="text">   Password: <input size="10" name="password" type="password">  <input value="Login" type="submit">
</form></span>
</div>

 

Here is the code for processing the login:

 

<?php
$username = $_GET['username'];
$password = $_GET['password1'];
include("connect.php");
$con = mysql_connect("$host", "$user", "$pass") or die(mysql_error());
if (!$con)
 {
 die('Could not connect: ' . mysql_error());
 }
mysql_select_db("$db", $con);
$sql = '
 SELECT
   `hash`
 FROM `members`
   WHERE
  `username` = "' . mysql_real_escape_string($username) . '"
 LIMIT 100
 ;';
$r = mysql_fetch_assoc(mysql_query($sql));
// The first 64 characters of the hash is the salt
$salt = substr($r['hash'], 0, 64);
$hash = $salt . $password1;
// Hash the password as we did before
for ( $i = 0; $i < 100000; $i ++ ) {
 $hash = hash('sha256', $hash);
}
$hash = $salt . $hash;
if ( $hash == $r['hash'] ) {
 // Ok!
 echo "Login success";
} else {
echo "Login Failed";
}
?>

 

Every time I login, it says Login Failed.

 

Any ideas? Im really stuck on this

Link to comment
Share on other sites

Not the best guide, to be honest. Lots of good points in it, I'll give the author that, but there's still a few minor details he's missed out on. For instance the multi-hashing of the password.

Running a password through several iterations of a hashing function, without adding the salt at every step, won't do you any good. In fact, it might even lower the overall strength of the password as you increase the possibility of collisions.

 

There is a very good article about secure login systems, which I strongly recommend you to read. It'll help you understand the finer details, and how to properly secure your user system.

 

As for your script:

There is no point in having double quotes around variables as you've with your DB details, that just adds overhead without any benefit at all. Same as writing 0 + 1 + 0 every time you want to have 1. You're also not handling errors at all, nor are you validating input. Both of which should really be done. Not only for your own benefit, but also for your users' benefit. Plenty of posts and articles on how to do them both, both in this forum and on the net in general.

The reason your code doesn't work will be apparent as soon as you turn on error reporting, btw.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.