Swankeh Posted November 3, 2017 Share Posted November 3, 2017 Hi, I'm sorry for my bad English. I am in a problem that is a page where you connect to a database. And in the database it saves the password and the salt, what I want to know is how it could do to read the encrypted password since the code reads it without encrypting it. To encrypt it I do it when they register in a game and save it in the database, I use SHA256 and SALT to encrypt it. The problem would be how to read it in PHP. Down the code I was trying to do it by reading tutorial but it did not work. What I did was what is in / ** /, but it does not work. <?php session_start(); include("config.php"); $conn = mysqli_connect($hostname, $username, $password, $database); if (!$conn) { die("Connection failed: " . mysqli_connect_error()); } $query = "SELECT NOMBRE, CLAVE FROM `USUARIOS` WHERE `NOMBRE` = '".$_POST["playerName"]."'"; $result = mysqli_query($conn, $query); if(mysqli_num_rows($result) == 1) { while($row = mysqli_fetch_assoc($result)) { /*if($_POST["playerPassword"] === hash('sha256', $row["CLAVE"])) { $_SESSION["sessionUsername"] = $row["NOMBRE"]; echo '1'; }*/ if($_POST["playerPassword"] == $row["CLAVE"]) { $_SESSION["sessionUsername"] = $row["NOMBRE"]; echo '1'; } else echo '3'; } } else echo '2'; mysqli_close($conn); ?> Link to comment Share on other sites More sharing options...
benanamen Posted November 3, 2017 Share Posted November 3, 2017 You need to use password_hash and password_verify. You also need to use Prepared Statements. Never ever put variables in your query. I recommend you use PDO. Do not output internal system errors to the user. It is useless to the user and only good for a hacker. There is no need to manually close the connection. Php will do it automatically when the script finishes running. Search this forum. There are plenty of good code examples already posted. Link to comment Share on other sites More sharing options...
Swankeh Posted November 3, 2017 Author Share Posted November 3, 2017 Necesita usar password_hash y password_verify . También necesita usar declaraciones preparadas. Nunca coloque variables en su consulta. Te recomiendo que uses PDO . No genere errores internos del sistema para el usuario. Es inútil para el usuario y solo es bueno para un hacker. No es necesario cerrar manualmente la conexión. Php lo hará automáticamente cuando el script termine de ejecutarse. Buscar este foro Hay muchos buenos ejemplos de código ya publicados. Gracias por la respuesta. Intenté de la manera que me diste y me sucede lo mismo que la contraseña no es correcta. La forma en que guardo la contraseña es a través de un juego cuando te registras y esto para encriptar usa SHA256 con SALT para cada cuenta, ya que el lenguaje no tiene una forma similar a PHP. Si lo desea, le mostraré el código que uso para encriptarlo, aunque no creo que sirva de mucho. Edit: I had not seen the other part, you're right in what you say about the code I'd touch to see many examples and php tutorials to learn how to use it as it should be. Link to comment Share on other sites More sharing options...
gizmola Posted November 3, 2017 Share Posted November 3, 2017 Hashing is not encryption. There is no way to decrypt a hash. All you can do is take input that might match the original input that created the hash, hash that input and then compare the 2 results (hashes) to see if they match. Link to comment Share on other sites More sharing options...
Phi11W Posted November 3, 2017 Share Posted November 3, 2017 To encrypt it I do it when they register in a game and save it in the database, I use SHA256 and SALT to encrypt it. The problem would be how to read it in PHP. /*if($_POST["playerPassword"] === hash('sha256', $row["CLAVE"])) { $_SESSION["sessionUsername"] = $row["NOMBRE"]; echo '1'; }*/ Along with the many other, worthy comments you've already received ... Don't read the encrypted value back at all! Add a condition to the "where" clause checking that the entered (and salted and encrypted) password matches the value in the user record. select ... from ... where username = ? and enc_password = ? If you don't get a record back, you don't let the user in (and you don't care why - you don't tell the hacker at your door that they've found a valid username and now only have to break the password!) Regards, Phill W. Link to comment Share on other sites More sharing options...
kicken Posted November 3, 2017 Share Posted November 3, 2017 Don't read the encrypted value back at all! If you use proper password hashing, then you must read the value back from the database and cannot do the comparison in the query. You need the hashed value from the database so that you can hash the input with the same salt/parameters before doing the comparison. Link to comment Share on other sites More sharing options...
Swankeh Posted November 5, 2017 Author Share Posted November 5, 2017 Hello many thanks to all who answered, you are experts in this I, by ahore, I am learning and watching tutorials, because to a game that I am compiling I have thought about a future to make them connect by the forum with their accounts of the game and your passwords to make a page where you show your data. I have changed the login for a better one, I do not know that you know more about this, it is better because I have read a little about the injections and seen tutorials and I found this way. <?php session_start(); if(isset($_POST['usuario']) and isset($_POST['password'])){ include('conexion.php'); $nombre_de_usuario=mysqli_real_escape_string($conexion, $_POST['usuario']); $clavedeusuario=mysqli_real_escape_string($conexion, $_POST['password']); $comprabacion_del_nombre= 'SELECT * FROM USUARIOS WHERE NOMBRE="'.$nombre_de_usuario.'"'; $comprobacion=$conexion->query($comprabacion_del_nombre); if($comprobacion -> num_rows>0){ $consulta_a_la_base=mysqli_query($conexion, 'SELECT CLAVE FROM USUARIOS WHERE NOMBRE="'.$nombre_de_usuario.'"'); $recoger_dato=mysqli_fetch_assoc($consulta_a_la_base); $comprobar_password=password_verify($clavedeusuario, $recoger_dato['CLAVE']); if($comprobar_password){ $_SESSION['NOMBRE']=$nombre_de_usuario; }else{ print 'El usuario o contraseña es incorrecto.<br> <a href="./">Volver</a>'; } }else{ print 'El usuario o contraseña es incorrecto.<br> <a href="./">Volver</a>'; } }else{ header('location: ./'); } ?> My question this way is much better than the first one? Link to comment Share on other sites More sharing options...
Barand Posted November 5, 2017 Share Posted November 5, 2017 Don't use mysqli_real_escape_string() on the entered password. It could alter the entered data and cause a valid password to fail. In fact, don't use it at all, it is much better to use prepared queries instead. Why the two queries? the first is superfluous. The second one can tell you if any such record exists. Link to comment Share on other sites More sharing options...
Swankeh Posted November 5, 2017 Author Share Posted November 5, 2017 I have a small question how would the correct way to store the variable $ salt be by consulting the database to obtain it? $salt = "Result of my database"; Link to comment Share on other sites More sharing options...
Barand Posted November 5, 2017 Share Posted November 5, 2017 password_hash() and password_verify() take care of the salt for you. Link to comment Share on other sites More sharing options...
Swankeh Posted November 5, 2017 Author Share Posted November 5, 2017 password_hash() and password_verify() take care of the salt for you. Thank you for your answer, you gave me an idea, now what I will do will be at the moment that the user registers in the game encipher the password and insert the user and password in the table of accounts. mysql_format(Database, DB_Query, sizeof(DB_Query), "INSERT INTO `CUENTAS` (`NOMBRE`, `CLAVE`)\ VALUES ('%e', SHA1('%s'))", InfoU[playerid][pNombre], inputtext); mysql_tquery(Database, DB_Query); But in the part I put "SHA1 ('%s')" as it could be if I want SHA256 to try and the encryption it gives me is this: 711383a59fda05336fd2ccf70c8059d1523eb41a Can it be done with SHA256 or SHA512 instead of SHA1? Link to comment Share on other sites More sharing options...
benanamen Posted November 5, 2017 Share Posted November 5, 2017 Using password_hash you do not SHA* anything. Take a minute and read the manual. Link to comment Share on other sites More sharing options...
Swankeh Posted November 5, 2017 Author Share Posted November 5, 2017 Using password_hash you do not SHA* anything. Take a minute and read the manual. If friend I was going around that many thanks for that: D, what I say is that the language of the game I use can not use the password_hash function because when compiling it I would miss error that does not recognize that function so I The idea of doing it when registering the user also registered his account in the forum, and I saw how to do it. mysql_format(Database, DB_Query, sizeof(DB_Query), "INSERT INTO `CUENTAS` (`NOMBRE`, `CLAVE`)\ VALUES ('%e', SHA2('%s',256))", InfoU[playerid][pNombre], inputtext); mysql_tquery(Database, DB_Query); I did it like that SHA2('%s',256)) and the text is generated in this way in the database: 2e69ecb0f9b3fb9dd37c0ed376166171c65321ca09ba573517c038ae48adfb8f What would be the encryption in SHA256: D thank you very much for your response, now I will continue with the record and reading about consultations prepared to avoid injections, and any questions post in the forum since you are the experts on this subject. I appreciate the help of each one of you. Link to comment Share on other sites More sharing options...
Barand Posted November 5, 2017 Share Posted November 5, 2017 Sounds like your version of PHP is at least 4 years out of date Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.