Nightasy Posted July 5, 2013 Share Posted July 5, 2013 (edited) Greetings all, I was trying to learn how to use hash to encrypt my the passwords in my database and that went all fine till I tried to create some log in scripts. The username and password always show as not matching. I'm obviously new to PHP and taking a college course on it right now. This is not an assignment, more just me fooling around trying to learn some things beyond the scope of the course. Here's the code that's not working. I know the problem is on this page here. The actual registration works like a charm and encrypts the password just fine. I just don't understand how to unencrypt that password to check if the user is using the correct password when logging in. <?php // This page defines two functions used by the login/logout process. /* This function determines an absolute URL and redirects the user there. The function takes one argument: the page to be redirected to. The argument defaults to index.php.*/ function redirect_user ($page = 'login.php') { // Start defining the URL... // URL is http:// plus the host name plus the current directory: $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); // Remove any trailing slashes: $url = rtrim($url, '/\\'); // Add the page: $url .= '/' . $page; // Redirect the user: header("Location: $url"); exit(); // Quit the script. } // End of redirect_user( ) function. /* This function validates the form data (the email address and password). * If both are present, the database is queried. * The function requires a database connection. * The function returns an array of information, including: * - a TRUE/FALSE variable indicating success * - an array of either errors or the database result*/ function check_login($connect, $username = '',$password = '') { $errors = array(); // Initialize error array. // Validate the email address: if (empty($username)) { $errors[] = 'You forgot to enter your user name.'; } else { $username = mysqli_real_escape_string($connect, trim($username)); } // Validate the password: if (empty($password)) { $errors[] = 'You forgot to enter your password.'; } else { $password = mysqli_real_escape_string($connect, trim($password)); } if (empty($errors)) { // If everything's OK. require ("includes/pwhash.php"); $pass_hash = PassHash::hash($password); $q = "SELECT guestid, username FROM memberlist WHERE username='$username' AND password='$pass_hash'"; $r = @mysqli_query ($connect, $q); // Run the query. // Check the result: if (mysqli_num_rows($r) == 1) { // Fetch the record: $row = mysqli_fetch_array ($r,MYSQLI_ASSOC); // Return true and the record: return array(true, $row); } else { // Not a match! $errors[] = 'The user name and password entered do not match those on file.'; } } // End of empty($errors) IF. // Return false and the errors: return array(false, $errors); } // End of check_login( ) function. The actual function that created the hash is here. pwhash.php <?php class PassHash { // blowfish private static $algo = '$2a'; // cost parameter private static $cost = '$10'; // mainly for internal use public static function unique_salt() { return substr(sha1(mt_rand()),0,22); } // this will be used to generate a hash public static function hash($password) { return crypt($password, self::$algo . self::$cost . '$' . self::unique_salt()); } // this will be used to compare a password against a hash public static function check_password($hash, $password) { $full_salt = substr($hash, 0, 29); $new_hash = crypt($password, $full_salt); return ($hash == $new_hash); } } ?> If anyone is willing to help and needs to see other pages let me know. I'll be happy to post them here. Sheesh, working with hashes makes little sense to me. 8( Regards, Nightasy Edited July 5, 2013 by Nightasy Quote Link to comment Share on other sites More sharing options...
Solution mac_gyver Posted July 5, 2013 Solution Share Posted July 5, 2013 your PassHash::hash() method is used to hash the initial password. to test if an entered password matches the stored hashed value, you need to use the check_password() method (kind of why the comment says // this will be used to compare a password against a hash) to do this, your code must run a query that matches the username, then retrieve the `password` column for that username, and use the `password` column value and the entered password as parameters to the check_password() method. Quote Link to comment Share on other sites More sharing options...
Nightasy Posted July 5, 2013 Author Share Posted July 5, 2013 (edited) @mac_gyver - Thanks a lot. I figured it out as per your feedback and it all works great now. Edited July 5, 2013 by Nightasy Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.