dean7 Posted April 26, 2014 Share Posted April 26, 2014 Hey guys, I have got a little function which encrypts users passwords in the database when registering. It all works fine as it inserts into the database and everything, although when I come to log the user in it never generates the same password to have them both to match to login Here is the function: function cryptPass($input, $rounds = 9){ $salt = ""; $saltchars = array_merge(range('A','Z'), range('a','z'), range('0','9')); for ($i = 0; $i < 22; $i++){ $salt .= $saltchars[array_rand($saltchars)]; } return crypt($input, sprintf('$2y$%02d$', $rounds) . $salt); } Here is the part of my login script which checks the password they have entered with the one in the database: $Password = crypt($_POST['Password']); // Have tried $Password = cryptPass($_POST['Password']); didn't work either // Check Password is right with Username: if (strlen($Password) > 0){ $CheckPassDB = "SELECT `username`,`password`,`status` FROM $TblUsers WHERE `username` = '$Username' AND `password` = '$Password' AND `status` = 'Active'"; $DoQuery = mysql_query($CheckPassDB) or die (mysql_error()); // Start Query off $DBObj = mysql_fetch_object($DoQuery); // Get an Object of Query $DBNum = mysql_num_rows($DoQuery); // Count how many rows have been returned if ($DBNum <= 0){ $Message = "Incorrect Username or Password."; $Succ = "no"; }elseif ($DBNum > 1){ How can I add / change something to make my login page work? I'm not sure how to go from here now... If you need any more information I will try to supply you with it. Any help would be greatly appreciated! Thanks in advance. Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted April 26, 2014 Share Posted April 26, 2014 Your cryptPass() function generates a random salt each time it is called. This is fine for hashing the users password upon registering. But it is not fine however for when you go to authorise the user. Because the function wont generate the same password hash as it did when the user first registered due to the random salt being generated. In order for the same hash to be generated you need to instead crypt the password with the original salt that function used for hashing the password. This salt should be stored in your database along with the hashed password. However this now makes the password weaker, because in a worst case scenario if an attacker did get access to your database they not only have the hashed password but they now have the salt too. So they can now do a brute-force attack with the salt. This is why using your own password hashing method can be dangerous. Instead I recommend you to use PHP's new password hashing functions for handing users passwords. If you do not have PHP5.5 then use ircmaxwell's password compatibility library instead. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.