BrettHartel Posted December 17, 2012 Share Posted December 17, 2012 Thank you for taking the time to help me I am trying to hashtag passwords and I was finally able to get the created accounts to work. But, when I try to log-in, the hashtag is different from the original hashtag. What am I do wrong? Sign-Up Code $password = "$_POST[Password]"; $Blowfish_Pre = '$2a$05$'; $Blowfish_End = '$'; $Allowed_Chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./'; $Chars_Len = 63; $Salt_Length = 21; for($i=0; $i<$Salt_Length; $i++) { $salt .= $Allowed_Chars[mt_rand(0,$Chars_Len)]; } $bcrypt_salt = $Blowfish_Pre . $salt . $Blowfish_End; $hashed_password = crypt($password, $bcrypt_salt); $sql="INSERT INTO Salt (User_ID, Salt) VALUES ('$User_ID','$salt')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } Log-in Code $Blowfish_Pre = '$2a$05$'; $Blowfish_End = '$'; $Entered_Password = $_Post[Password]; $Result_Salt = mysql_query("SELECT Salt FROM Salt WHERE User_ID='$User_ID'"); while ($row = mysql_fetch_assoc($Result_Salt)) { $User_Salt = $row[salt]; } $bcrypt_salt = $Blowfish_Pre . $User_Salt . $Blowfish_End; $Hashed_Password = crypt($Entered_Password, $bcrypt_salt); Sincerely, Brett Hartel Quote Link to comment Share on other sites More sharing options...
BrettHartel Posted December 17, 2012 Author Share Posted December 17, 2012 Figured it out, I needed to call the $_Post[Password] with the mysql_real_escape_strin! Quote Link to comment Share on other sites More sharing options...
BrettHartel Posted December 17, 2012 Author Share Posted December 17, 2012 I was wrong, adding that string made ALL passwords and no password work to log-in Quote Link to comment Share on other sites More sharing options...
Christian F. Posted December 17, 2012 Share Posted December 17, 2012 If the code worked for most passwords, then your code was good. It was the actual password itself, or the salt, that was erroneous. (Speaking of which, no point in storing the salts in their own table.) You'll need to re-check that he salt doesn't contain any invalid/special characters, that causes MySQL to throw a fit. Also, you 100% sure that the password wasn't mistyped upon registration? MySQL should only be used on variables immediately before they're added to the SQL query, and then only for string values. Applying it before this, particularly before doing any other operations on the value, will cause unintended consequences. Consequences which has a high probability of breaking your application, or causing other hard-to-detect bugs. Quote Link to comment Share on other sites More sharing options...
NomadicJosh Posted December 18, 2012 Share Posted December 18, 2012 (edited) A few things to note: $password = "$_POST[Password]"; should probably be: $password = $_POST['Password']; and: $Entered_Password = $_Post[Password]; should probably be: $Entered_Password = $_POST['Password']; Edited December 18, 2012 by parkerj Quote Link to comment Share on other sites More sharing options...
BrettHartel Posted December 18, 2012 Author Share Posted December 18, 2012 Thank you guys! Quote Link to comment Share on other sites More sharing options...
Christian F. Posted December 18, 2012 Share Posted December 18, 2012 Slight correction to my previous post, as I managed to mistype something rather crucial: mysql_real_escape_string () should only be used on variables immediately before they're added to the SQL query... That's what it was supposed to read. Quote Link to comment Share on other sites More sharing options...
Jessica Posted December 18, 2012 Share Posted December 18, 2012 Hashtag is a nickname for when people do #this on twitter. Hash is a one-way encryption of data. You cannot hashtag your data. You can hash it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.