Jump to content

[SOLVED] I am trying to import passwords in a csv file into a user table as sha1 or md5


cluce

Recommended Posts

hello ,

I have some code that loops through a csv file of passwords and stores them in the database.  This works fine if I input the passwords as is but if I try to update the passwords in a md5 or sha1 function I cant logon. its like its not importing the same password. And when I use a sha1 or md5 decrpyter that usually works it says ," could not find a matching decryption." can someone look at my code and tell me if anything is wrong with the login and update script.  In the loop, I dont think it is UPDATING correctly with one of those security functions??

 

loop to import passwords in table

<?php
$counter = 1; //initialize counter

include'db.php';

$filename = "pass.csv";
$fp = fopen($filename, "r") or die("Couldn't open $filename");	

while (!feof($fp)) {

$line = trim(fgets($fp, 1024));

$sql3 = "UPDATE employees SET password = sha1('$line') WHERE EmployeeID = '$counter' LIMIT 1";
mysqli_query($mysqli, $sql3);

echo "$counter<br>$line<br>"; //echo output
$counter++;  //adds 1 to counter
}
?>

 

login page code

//initialize the session
session_start();

//connect to database
include'db.php';

//trims and strips tags and escapes fields
$checkuser = trim(strip_tags($_POST['username']));
$checkpassword = trim(strip_tags($_POST['password']));

mysqli_real_escape_string($mysqli,$checkuser);
$_SESSION['password'] = mysqli_real_escape_string($mysqli,$checkpassword);

//create and issue the query
$sql = "SELECT username, f_name, l_name FROM employees WHERE username = '$checkuser' AND password = sha1('$checkpassword') LIMIT 1";
$result = mysqli_query($mysqli, $sql);

//get the number of rows in the result set; should be 1 if a match
if (mysqli_num_rows($result) == 1) {

//if authorized, get the values of f_name l_name
while ($info = mysqli_fetch_array($result)) {
	$f_name = stripslashes($info['f_name']);
	$l_name = stripslashes($info['l_name']);
	$username = stripslashes($info['username']);
}
//set authorization cookie
setcookie("auth", "1", 0, "/", "rwwww.com", 0);
$_SESSION['usersname'] = $f_name . " " . $l_name;
    $_SESSION['validate'] = $username;

//get last successful login
$last_login = ("SELECT DATE_FORMAT(last_login,  '%b %e %Y at %r') aS last_login FROM employees WHERE username = '$checkuser' LIMIT 1");
$result = mysqli_query($mysqli, $last_login);
$result_login = mysqli_fetch_assoc($result);
$_SESSION['login'] = $result_login["last_login"];

//record last login
    $sql2 = "UPDATE employees SET last_login=NOW() WHERE username = '$checkuser' LIMIT 1";   
    mysqli_query($mysqli,$sql2);

//clears failed logins
$sql3 = "UPDATE employees SET failed_logins = 0 WHERE username = '$checkuser' LIMIT 1";
mysqli_query($mysqli, $sql3);

//sets session to identify
$_SESSION['identity'] = $checkuser;

//close connection to MySQL
mysqli_close($mysqli);

//sets login timer
$current_time = time(); // get the current time
    $_SESSION['loginTime']=$current_time; // login time
    $_SESSION['lastActivity']=$current_time; // last activity

//directs authorized user
header("Location: resource.php");
exit(); 

Link to comment
Share on other sites

I did not think MD5 or SHA1 was decryptable unless you are using a specialized function. They are generally 1 way hashes. To check if passwords match you usually take the user entered password from the form and hash it up and check it against the md5/sha1 hash.

Link to comment
Share on other sites

I did not think MD5 or SHA1 was decryptable unless you are using a specialized function. They are generally 1 way hashes. To check if passwords match you usually take the user entered password from the form and hash it up and check it against the md5/sha1 hash.

        yes,  I use a website that does decryption for you.  just to see what was going on with my code.

 

http://www.md5encryption.com/?mod=decrypt

 

I thought I have this done"To check if passwords match you usually take the user entered password from the form and hash it up and check it against the md5/sha1 hash." its just not working it says invalid password/username combo

Link to comment
Share on other sites

The issue could lie within the fact that your mysql server may be setup to seed the hashes a certain way. I would use php functions to hash up the string instead of mysql, as it will be more efficient and less of a toll on your server and see if that helps you out.

Link to comment
Share on other sites

The issue could lie within the fact that your mysql server may be setup to seed the hashes a certain way. I would use php functions to hash up the string instead of mysql, as it will be more efficient and less of a toll on your server and see if that helps you out.

can you please elaborate on this? im not sure what yuo mean? I though I was using php functions but I was stoiring it in mySQL in a table in a hash form.  Unless you mean dont store it in the table in a hash form but only when using the passwords in the php script. Is this what you mean??  If so wouldn't that be insecure??
Link to comment
Share on other sites

The issue could lie within the fact that your mysql server may be setup to seed the hashes a certain way. I would use php functions to hash up the string instead of mysql, as it will be more efficient and less of a toll on your server and see if that helps you out.

can you please elaborate on this? im not sure what yuo mean? I though I was using php functions but I was stoiring it in mySQL in a table in a hash form.  Unless you mean dont store it in the table in a hash form but only when using the passwords in the php script. Is this what you mean??  If so wouldn't that be insecure??

 

Umm no.

 

www.php.net/md5

www.php.net/sha1

 

PHP has built in functions.

 

Instead of:

<?php
mysql_query("INSERT INTO user (`pass`) VALUES (sha1('$password'));");
?>

 

It would be :

 

<?php
mysql_query("INSERT INTO user (`pass`) VALUES ('" . sha1($password) . "');");
?>

 

That way you use PHP to do the dirty work and not MySQL.

Link to comment
Share on other sites

well in another project....... I have a user registration page that registers users passwords in sha1 hash in the table and it works fine. users can login through an sql query that matches the sha1 password just fine. 

I think it may be something to do with the update query and csv file in the loop code. It might be hashing a blank space or something I dont know about???  But I dont know whats going on because the loop code works fine without the sha1 function but the whole purpose of this was for me to store the users(about 300) passwords in a table in hash form.  I did replace my password string with the one in your example and it doesnt work either. 

Link to comment
Share on other sites

well in another project....... I have a user registration page that registers users passwords in sha1 hash in the table and it works fine. users can login through an sql query that matches the sha1 password just fine. 

I think it may be something to do with the update query and csv file in the loop code. It might be hashing a blank space or something I dont know about???  But I dont know whats going on because the loop code works fine without the sha1 function but the whole purpose of this was for me to store the users(about 300) passwords in a table in hash form.  I did replace my password string with the one in your example and it doesnt work either. 

 

It may not be able to be decrypted by that function but it will definitely increase your MySQL performance not making MySQL hash up the password. That was the goal.

 

As for decrypting it, I am sure that PHP or MySQL has something setup (or maybe apache?) that adds their own seeds to the hash. If the md5 function or sha1 function have been seeded in a way than that md5encryption site is useless as it can only decrypt hashes that have not been seeded.

 

 

Link to comment
Share on other sites

well in another project....... I have a user registration page that registers users passwords in sha1 hash in the table and it works fine. users can login through an sql query that matches the sha1 password just fine. 

I think it may be something to do with the update query and csv file in the loop code. It might be hashing a blank space or something I dont know about???  But I dont know whats going on because the loop code works fine without the sha1 function but the whole purpose of this was for me to store the users(about 300) passwords in a table in hash form.  I did replace my password string with the one in your example and it doesnt work either. 

 

It may not be able to be decrypted by that function but it will definitely increase your MySQL performance not making MySQL hash up the password. That was the goal.

 

As for decrypting it, I am sure that PHP or MySQL has something setup (or maybe apache?) that adds their own seeds to the hash. If the md5 function or sha1 function have been seeded in a way than that md5encryption site is useless as it can only decrypt hashes that have not been seeded.

 

OK I understand all of this.  But can you give me any suggestions why a user can't logon when I use the loop code to import the passwords (in the csv file) through sha1 but they can login when I import the passwords without the sha1 function?? Im lost here???

Link to comment
Share on other sites

Are you sha1 the user input to check against the database?

 

<?php
$dbpassword = sha1("testtext");
$password = "testtext";
$sha1_pass = sha1($password);

if ($password == $dbpassword) {
       echo 'This should never happen as regular text is being tested against sha1 encrypted text';
}elseif ($sha1_pass == $dbpassword) {
       echo 'This should work as you are testing an sha1 hashed password vs another sha1 hashed password';
}
?>

 

As an example.

Link to comment
Share on other sites

well this what ive used in the past for login and it worked. but this was done with a registration page and the sha1 was in an insert statement through a POST method.

 

Now im using an UPDATE statement in a loop to read a csv file to update their passwords to sha1..if this makes a difference???

//connect to database
include'db.php';

//trims and strips tags and escapes fields
$checkuser = trim(strip_tags($_POST['username']));
$checkpassword = trim(strip_tags($_POST['password']));

mysqli_real_escape_string($mysqli,$checkuser);
$_SESSION['password'] = mysqli_real_escape_string($mysqli,$checkpassword);

//create and issue the query
$sql = "SELECT username, f_name, l_name FROM employees WHERE username = '$checkuser' AND password = sha1('$checkpassword') LIMIT 1";
$result = mysqli_query($mysqli, $sql);

I am trying some alternatives right now.

Link to comment
Share on other sites

Ok, another thing you could try is this function;

Basically using MD5 and SHA1. it will set passwords

as a unique ID. which means, Not only will bots who

match md5 strings fail to do so.

 

identical passwords will look completely different.

 

<?php

define('SALT_LENGTH', 9);

function genHash($Text, $salt = null)
{
    if ($salt === null)
    {
        $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
    }
    else
    {
        $salt = substr($salt, 0, SALT_LENGTH);
    }

    return $salt . sha1($salt . $Text);
}

?>

 

Finally to use this.

 

Set a password hash by:  genHash($password);

Check/Match a hask    :  genHash($password, 1);

Link to comment
Share on other sites

"Ok, another thing you could try is this function;

Basically using MD5 and SHA1. it will set passwords

as a unique ID. which means, Not only will bots who

match md5 strings fail to do so."

.......thankks for the SALT code but I dont think this will solve my problem. which the user can't logon when I use the loop code to import the passwords (in the csv file) through sha1 but when I import the passwords without the sha1 function it works?? Im lost here??? And I am matching the passwords [password input]sha1()=[database password]sha1()

 

Link to comment
Share on other sites

I solved this. All needed to do was change my varchar type to 50 so it can handle the hash in the table properly. thats why I couldnt decrypt at that site it or logon. thx for your help. I learned alot and still do in this forum  

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.