Some Login Validation Issues With Crypt()

[devilsvein]

hi guys, i've been having some issues with authenticating a person who logs into my website. I'm using crypt to hash the password from when they register with no salt defined.

 

the code i've used on my login page is this

 

if( $page_mode == 'Login' )
{
require "globe.php";
   //simple post from below
   $username = htmlentities(trim($_POST['username']));
   $username = mysqli_real_escape_string($mysqli, $username);
   $password = trim($_POST['password']);
   $query = mysqli_query($mysqli, "SELECT * FROM Persons WHERE Username = '$username'");
   $row = mysqli_fetch_assoc($query);
   $numrows = mysqli_num_rows($query);
   $dbuser = $row['Username'];
   $dbpass = $row['Password'];
   $hashed_password = crypt($password, $dbpass);




   if( ($username == '') || ($password == '') ) {
       $error_string .= '<font color=red>You have left either the username or password field blank!</font>';
       }
   else if ($numrows == 1)
   {
    if ($dbuser == $username)
       {
       if ($hashed_password == $password)
       {
       $error_string .= '<font color=red>Details checked out</font>';
       }
       else
       {
       $error_string .= '<font color=red>No username can be found! (1)</font>';
       }
      }
   }
   else {
           $error_string .= '<font color=red>No username can be found! (2)</font>';

   }

}

 

everything is fine until it gets to the if statement where it checks the hashed password agaist the user inputted password ($password).

 

it always seems to fail.

 

I've been at this for days now and its really starting to annoy me. Would be so grateful if someone could suggest a solution.

[Pikachu2000]

If you didn't use a salt when you stored the password, why are you using one when you compare it to the value in the DB?

[devilsvein]

made a change on my orginal script:

 

instead of if ($password == $hashed_password)

i used if ($hashed_password == $dbpass)

 

@pikachu

 

well the password in the database is being hashed up i believe. its not the same password that was inputted. in my register page when the table updates, the user password goes through crypt($password);

 

so how would i fix this in login then?

 

because i can't just do if ($password == $dbpass)

 

ones hashed, the others not

[MDCode]

Why not hash both?

[devilsvein]

how? i thought i did so with

 

 

$hashed_password = crypt($password, $dbpass);

 

sorry for this issue, like first month into php

[Pikachu2000]

You need to use the exact same hashing method on the value from the login form that you used when the user registered in order to be able to compare the values.

[devilsvein]

the code from register is,

 

 $hashed_password = crypt('pass1'); 

 

so for login instead of it being... $hashed_password = crypt($password, $dbpass);

 

it should be $hashed_password = crypt($password);

Edited November 25, 2012 by devilsvein

[PFMaBiSmAd]

The following should have worked - if ($hashed_password == $dbpass)

 

If not, slow down and troubleshoot what your code and data are doing. Echo both of those values. Are they they completely different? Are they different lengths (i.e. $dbpass being shorter because your database table column isn't long enough to hold the value)?