aquatradehub Posted October 14, 2012 Share Posted October 14, 2012 Hi, I am trying to use the How to store passwords safely with PHP and MySQL script from http://alias.io/2010/01/store-passwords-safely-with-php-and-mysql/ but am not having any luck. Here is the script that encrypts the password and writes it to the database: /* Let's prepare the password encryption */ // Create a 256 bit (64 characters) long random salt // Let's add 'something random' and the username // to the salt as well for added security $salt = hash('sha256', uniqid(mt_rand(), true) . 'something random' . strtolower($username)); // Prefix the password with the salt $hash = $salt . $password1; // Hash the salted password a bunch of times for ( $i = 0; $i < 100000; $i ++ ) { $hash = hash('sha256', $hash); } // Prefix the hash with the salt so we can find it back later $hash = $salt . $hash; /* Check no duplicate usernames */ include("../mysql/connect.php"); $con = mysql_connect("$host", "$user", "$pass") or die(mysql_error()); $query = "SELECT COUNT(*) AS count FROM members WHERE username='$username'"; @mysql_select_db("$db") or die( "Unable to select database"); $results = mysql_query($query) or die ("Error reading from database"); $existingUsernames = mysql_fetch_array($results); if ($existingUsernames['count'] > 0) { header('Location: usererror.php'); } else { $con = mysql_connect("$host", "$user", "$pass") or die(mysql_error()); $query1 = "SELECT COUNT(*) AS count FROM members WHERE email='$email'"; @mysql_select_db("$db") or die( "Unable to select database"); $results1 = mysql_query($query1) or die ("Error reading from database"); $existingEmails = mysql_fetch_array($results1); if ($existingEmails['count'] > 0) { header('Location: emailerror.php'); } else { /* Write to MySQL database */ $sql="INSERT INTO members (username, hash, firstname, surname, email, address1, address2, town, county, postcode, birthday, birthmonth, birthyear, paypalemail, terms) VALUES ('$_POST[username]','$hash','$_POST[firstname]','$_POST[surname]','$_POST[email]','$_POST[address1]','$_POST[address2]','$_POST[town]','$_POST[county]','$_POST[postcode]','$_POST[birthday]','$_POST[birthmonth]','$_POST[birthyear]','$_POST[paypalemail]','$_POST[terms]')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } /* Send validation email */ Here is my login form <div id="topLogin"> <span> <form action="/mysql/loginprocess.php" method="POST"> Username:<input size="10" name="username" type="text"> Password: <input size="10" name="password" type="password"> <input value="Login" type="submit"> </form></span> </div> Here is the code for processing the login: <?php $username = $_GET['username']; $password = $_GET['password1']; include("connect.php"); $con = mysql_connect("$host", "$user", "$pass") or die(mysql_error()); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("$db", $con); $sql = ' SELECT `hash` FROM `members` WHERE `username` = "' . mysql_real_escape_string($username) . '" LIMIT 100 ;'; $r = mysql_fetch_assoc(mysql_query($sql)); // The first 64 characters of the hash is the salt $salt = substr($r['hash'], 0, 64); $hash = $salt . $password1; // Hash the password as we did before for ( $i = 0; $i < 100000; $i ++ ) { $hash = hash('sha256', $hash); } $hash = $salt . $hash; if ( $hash == $r['hash'] ) { // Ok! echo "Login success"; } else { echo "Login Failed"; } ?> Every time I login, it says Login Failed. Any ideas? Im really stuck on this Quote Link to comment Share on other sites More sharing options...
Christian F. Posted October 14, 2012 Share Posted October 14, 2012 Not the best guide, to be honest. Lots of good points in it, I'll give the author that, but there's still a few minor details he's missed out on. For instance the multi-hashing of the password. Running a password through several iterations of a hashing function, without adding the salt at every step, won't do you any good. In fact, it might even lower the overall strength of the password as you increase the possibility of collisions. There is a very good article about secure login systems, which I strongly recommend you to read. It'll help you understand the finer details, and how to properly secure your user system. As for your script: There is no point in having double quotes around variables as you've with your DB details, that just adds overhead without any benefit at all. Same as writing 0 + 1 + 0 every time you want to have 1. You're also not handling errors at all, nor are you validating input. Both of which should really be done. Not only for your own benefit, but also for your users' benefit. Plenty of posts and articles on how to do them both, both in this forum and on the net in general. The reason your code doesn't work will be apparent as soon as you turn on error reporting, btw. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.