Jump to content

Sha1 + Salt On Login

verror

By verror
in PHP Coding Help

 Share

Recommended Posts

verror Newbie

verror

Posted
Posted (edited)

Hi Guys,

 

Just a quick one (sort of).

 

I am working on a registration + login system, however I am a little stuck when it comes to logging a user in due to the secured password.

 

At the moment my registration snippet is like so (cut out the un-needed stuff), the $salt is just a static value at the moment:

$salt = 'salthere';

 

mysql_query("INSERT INTO members (`id`, `first`, `last`, `email`, `username`, `password`) VALUES (NULL , '$first', '$last', '$email', '$user', sha1('$salt.$pass'))");

 

When logging a user in though how do I check against the password correctly.

 

At the moment I am checking it like this:

 

$sql="SELECT * FROM $tbl WHERE username='$user' and password='$salt.$pass'";

 

I obviously have the same $salt sting in the login form as well.

However this does not work (it does if I remove the SHA1 and Salt from the registration form), any other way of verifying the password that could work?

Edited by verror
Link to comment
Share on other sites
Muddy_Funster Regular Member

Muddy_Funster

Posted
Posted

First up, don't select * from a user table. Well, don't select * from any table, but especialy not a user table with personal info and passwords in it. 2nd, PHP's crypt() is a better function for encrypting hashes, and has stronger encryption options than ye olde sha1.

 

However, your direct problem is that you are storing the sha1 hash of the password and when you come to compare it, you are using the raw password info. You need to add the sha1() hashing function to $salt.$password for the lookup aswell as for the insert.

$sql="SELECT * FROM $tbl WHERE username='$user' and password=sha1('$salt.$pass')";

The other thing is, you are using the mysql sha1 to genarate the hash, this meens that if the database server is not the webserver, the information is being passed from the webserver to the db server is unencrypted.

Link to comment
Share on other sites
verror Newbie

verror

Posted
  • Author
Posted

Thanks for the reply Muddy,

 

I'll give it a go when I get home from work and see how it runs.

 

I have had a look at crypt() previously, never used it before so at the moment I am just trying to get the system working as is, and then look at refining the security once it is complete.

Link to comment
Share on other sites
verror Newbie

verror

Posted
  • Author
Posted (edited)

Essentially I am receiving the defined error here for incorrect username and password.

 

$user=$_POST['user'];
$pass=$_POST['pass'];

$salt = 'salthere';
$user = stripslashes($user);
$pass = stripslashes($pass);
$user = mysql_real_escape_string($user);
$pass = mysql_real_escape_string($pass);
$sql="SELECT * FROM $tbl WHERE username='$user' and password=sha1('$salt.$pass')";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){


session_register("user");
session_register("pass");
header("location:loginsuccess.php");
}
else {
echo "Wrong Username or Password";
}

 

 

And the HTML form has the correct names and id's.

 

Every login attempt provided the "Wrong username or password error".

It is definitely connecting to the database correctly (I have removed that section from the above code).

Edited by verror
Link to comment
Share on other sites
Muddy_Funster Regular Member

Muddy_Funster

Posted
Posted (edited)

OK, if you don't mind re-populating the table then you can give this a go :

 

1st, change the signup to:

$pass = crypt($pass, 'salthere');
$sql = <<<SQL
INSERT INTO members (
`first`,
`last`,
`email`,
`username`,
`password`
)
VALUES (
'$first',
'$last',
'$email',
'$user',
$pass
)
SQL;
mysql_query($sql) or die(mysql_error());

Notice I droped the id field from the insert? You never insert anything, at all, ever into an auto_inc field.

 

Next change the login to the following:

$user=$_POST['user'];
$pass=$_POST['pass'];
$salt = 'salthere';
$user = stripslashes($user);
$user = mysql_real_escape_string($user);
$pass = crypt($pass, $salt);
$sql=<<<SQL
SELECT COUNT(*) as check
FROM $tbl
WHERE (
username='$user'
AND
password=$pass
SQL;
$result=mysql_query($sql);
$count=mysql_fetch_assoc($result);
if($count['check']==1){
session_register("user"); // <------Not sure what you are doing on
session_register("pass"); // <------ these two lines.
header("location:loginsuccess.php");
}
else {
echo "Wrong Username or Password";
}

 

I have marked two lines which I'm unsure what you are doing in, it looks like you want to add $user and $pass to the session array, but aprear to in fact be passing "user" and "pass" string literals. At no point ever should you need or want to maintain password information in a session.

 

let me know how that goes for you.

Edited by Muddy_Funster
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.