PHP / Whirlpool / MySQL

[SplitZ]

Hello, I am a newbie when it comes to anything like PHP, however I have decided to go and try to make a User Control Panel for a San Andreas Multiplayer Server.

 

 

I am using MySQL and Whirlpool to store players data in, Whirlpool hashes the password for security.

 

This is my login PHP and I need to "unhash" the Whirlpool password, though it comes up with incorrect password.

 

<?php 


include("config.php"); //including our config.php where is connecting to mysql... 
session_start(); //starting session for profile.php (Dunno how to explain better) look little down 
error_reporting(0); //without this we will always get some stupid notice that variable isn't defined.... 


$submit = $_POST['submit']; //variable for submit button, in this variable we save button that player press in <input type='submit' name="submit" value='Login' />.... 
$username = sanitize($_POST['username']); //variable for username, in this variable we save text that user type in <input type="text" name="username".... 
$password = sanitize($_POST['password']); //variable for password, in this variable we save text that user type in <input type="password" name="password".... 
$pass = hash('whirpool', $_POST['password']);
if($submit) //if he press submit button 
{     
    if($username && $password) //if he type both of username and password not just one of them 
    { 
        $query = mysql_query("SELECT Username, Password FROM accounts WHERE Username = '$username'"); //selecting user name and password, change it to your field names,  chage users to your table name, $username means username that he type... 
        if(mysql_num_rows($query) == 1) //if user exists 
        { 
            while($row = mysql_fetch_assoc($query)) //loop thought table that we select in mysql_query 
            { 
                $dbusername = $row['Username']; //setting dbusername as variable from table, change 'username' to your field! 
                $dbpassword = $row['Password']; //setting dbpassword as variable from table, change 'password' to your field! 
            } 
            if($username == $dbusername && $pass == $dbpassword) //if username is same as one from table and if password is the same as one from table... 
            { 
                $_SESSION['username'] = $dbusername; //setting session username to one from table, this is useful if you login, that restart your browser and than you go in url where is your profile.php... Anyway this is useful  
                echo header('location: profile.php'); //redirecting user to his profile page (profile.php) 
            } 
            else echo "Wrong password!"; //else if user type wrong password he will get this... 
        } 
        else echo "Username doesn't exist!"; //if username doesn't exist in table user will get this 
    } 
    else echo "Type name and password!"; //else if user doesn't type all fields he will get this... 
} 


?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Basic UCP</title>
<form action='login.php' method='POST'> 
<input type="text" name="username" value='<?php echo $username?>'/> 
<input type="password" name="password"/> 
<input type='submit' name="submit" value='Login' /> 
</form>
</head>
</html>

 

[Ch0cu3r]

 

This is my login PHP and I need to "unhash" the Whirlpool password

No. You do not need to unhash the users password. This is not how you handle logins.

 

Passwords should be stored as hashes in the database, they should not be stored as plain text. When the user submits the login form you hash the password they entered. You then query your accounts table to return the record where the username and password hash matches. If the a record is returned then the user is authenticated.

[ginerjm]

Hashing is not supposed to be reversible. If the password is forgotten, your ensure that the right person is asking for a reset before setting a new password. Usually you do this by sending it to the registered email address stored with the userid. It is then the user's responsibility to ensure that his email account is not accessible to anyone else.

[SplitZ]

Alright thanks, So how would I get their input then hash it? I believe I have the right line: $pass = hash('whirpool', $_POST['password']);

[mac_gyver]

you need to debug why your logic is producing the result that it is. 

 

this is the part of your conditional test that's causing that message - .. && $pass == $dbpassword

 

start by using var_dump() on both of the hash values in $pass and in $dbpassword to see what they contain. one or the other could be empty (you have a logic error somewhere) or they could be mostly the same but different lengths (your database column isn't long enough to hold the value) or they could be completely different (the wrong password was used or your logic isn't the same when you stored the value and when you are comparing the value.)

[Jacques1]

Whirlpool? Wow, you must be the only person on this planet who actually uses that algorithm. May I ask why you picked it?

 

Unfortunately, it's a very poor choice for password hashing. A standard PC can easily calculate millions or even trillions of Whirlpool hashes per second, so this algorithm doesn't provide any serious protection against brute-force attacks. Even worse: Since the same input always leads to the same hash, Google probably knows the plaintext passwords of many hashes already.

 

So, no, this doesn't work. You need an algorithm which was specifically designed for password hashing. A common choice today is bcrypt, and PHP actually has it built in.

[QuickOldCar]

Can take a look at password_hash and password_verify

 

Is even examples there.