Php Hashtag Password Help, Returned Two Different Values!

[BrettHartel]

Thank you for taking the time to help me

 

I am trying to hashtag passwords and I was finally able to get the created accounts to work. But, when I try to log-in, the hashtag is different from the original hashtag. What am I do wrong?

 

Sign-Up Code

$password = "$_POST[Password]";
$Blowfish_Pre = '$2a$05$';
$Blowfish_End = '$';
$Allowed_Chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
$Chars_Len = 63;
$Salt_Length = 21;
for($i=0; $i<$Salt_Length; $i++)
{
   $salt .= $Allowed_Chars[mt_rand(0,$Chars_Len)];
}
$bcrypt_salt = $Blowfish_Pre . $salt . $Blowfish_End;


$hashed_password = crypt($password, $bcrypt_salt);
$sql="INSERT INTO Salt (User_ID, Salt)
VALUES
('$User_ID','$salt')";
if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }

 

 

Log-in Code

$Blowfish_Pre = '$2a$05$';
$Blowfish_End = '$';
$Entered_Password = $_Post[Password];
$Result_Salt = mysql_query("SELECT Salt FROM Salt WHERE User_ID='$User_ID'");
while ($row = mysql_fetch_assoc($Result_Salt)) {
   $User_Salt = $row[salt];
}
$bcrypt_salt = $Blowfish_Pre . $User_Salt . $Blowfish_End;
$Hashed_Password = crypt($Entered_Password, $bcrypt_salt);

 

Sincerely,

 

Brett Hartel

[BrettHartel]

Figured it out, I needed to call the $_Post[Password] with the mysql_real_escape_strin!

[BrettHartel]

I was wrong, adding that string made ALL passwords and no password work to log-in

[Christian F.]

If the code worked for most passwords, then your code was good. It was the actual password itself, or the salt, that was erroneous. (Speaking of which, no point in storing the salts in their own table.)

You'll need to re-check that he salt doesn't contain any invalid/special characters, that causes MySQL to throw a fit. Also, you 100% sure that the password wasn't mistyped upon registration?

 

MySQL should only be used on variables immediately before they're added to the SQL query, and then only for string values. Applying it before this, particularly before doing any other operations on the value, will cause unintended consequences. Consequences which has a high probability of breaking your application, or causing other hard-to-detect bugs.

[NomadicJosh]

A few things to note:

$password = "$_POST[Password]";

 

should probably be:

$password = $_POST['Password'];

 

and:

$Entered_Password = $_Post[Password];

 

should probably be:

$Entered_Password = $_POST['Password'];

[BrettHartel]

Thank you guys!

[Christian F.]

Slight correction to my previous post, as I managed to mistype something rather crucial:

mysql_real_escape_string () should only be used on variables immediately before they're added to the SQL query...

 

That's what it was supposed to read.

[Jessica]

Hashtag is a nickname for when people do #this on twitter. 

Hash is a one-way encryption of data. 

 

You cannot hashtag your data. You can hash it.