Jump to content

Recommended Posts

Hey guys, I have got a little function which encrypts users passwords in the database when registering. It all works fine as it inserts into the database and everything, although when I come to log the user in it never generates the same password to have them both to match to login

 

Here is the function:

function cryptPass($input, $rounds = 9){
$salt = "";
$saltchars = array_merge(range('A','Z'), range('a','z'), range('0','9'));
for ($i = 0; $i < 22; $i++){
$salt .= $saltchars[array_rand($saltchars)];
}
return crypt($input, sprintf('$2y$%02d$', $rounds) . $salt);
}
 
Here is the part of my login script which checks the password they have entered with the one in the database:
 
$Password = crypt($_POST['Password']);
// Have tried $Password = cryptPass($_POST['Password']); didn't work either

// Check Password is right with Username:
if (strlen($Password) > 0){
$CheckPassDB = "SELECT `username`,`password`,`status` FROM $TblUsers WHERE `username` = '$Username' AND `password` = '$Password' AND `status` = 'Active'";
$DoQuery = mysql_query($CheckPassDB) or die (mysql_error()); // Start Query off
$DBObj = mysql_fetch_object($DoQuery); // Get an Object of Query
$DBNum = mysql_num_rows($DoQuery); // Count how many rows have been returned
 
if ($DBNum <= 0){
$Message = "Incorrect Username or Password.";
$Succ = "no";
}elseif ($DBNum > 1){
 

How can I add / change something to make my login page work? I'm not sure how to go from here now...

If you need any more information I will try to supply you with it.

 

Any help would be greatly appreciated!

 

Thanks in advance. 

 

Link to comment
https://forums.phpfreaks.com/topic/288039-password-protecting/
Share on other sites

Your cryptPass() function generates a random salt each time it is called. This is fine for hashing the users password upon registering. But it is not fine however for when you go to authorise the user. Because the function wont generate the same password hash as it did when the user first registered due to the random salt being generated.

 

In order for the same hash to be generated you need to instead crypt the password with the original salt that function used for hashing the password. This salt should be stored in your database along with the hashed password.

 

However this now makes the password weaker, because in a worst case scenario if an attacker did get access to your database they not only have the hashed password but they now have the salt too. So they can now do a brute-force attack with the salt. This is why using your own password hashing method can be dangerous.

 

Instead I recommend you to use PHP's new password hashing functions for handing users passwords. If you do not have PHP5.5 then use ircmaxwell's password compatibility library instead.

Link to comment
https://forums.phpfreaks.com/topic/288039-password-protecting/#findComment-1477357
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.