[SOLVED] I am trying to import passwords in a csv file into a user table as sha1 or md5

[cluce]

hello ,

I have some code that loops through a csv file of passwords and stores them in the database.  This works fine if I input the passwords as is but if I try to update the passwords in a md5 or sha1 function I cant logon. its like its not importing the same password. And when I use a sha1 or md5 decrpyter that usually works it says ," could not find a matching decryption." can someone look at my code and tell me if anything is wrong with the login and update script.  In the loop, I dont think it is UPDATING correctly with one of those security functions??

 

loop to import passwords in table

<?php
$counter = 1; //initialize counter

include'db.php';

$filename = "pass.csv";
$fp = fopen($filename, "r") or die("Couldn't open $filename");	

while (!feof($fp)) {

$line = trim(fgets($fp, 1024));

$sql3 = "UPDATE employees SET password = sha1('$line') WHERE EmployeeID = '$counter' LIMIT 1";
mysqli_query($mysqli, $sql3);

echo "$counter<br>$line<br>"; //echo output
$counter++;  //adds 1 to counter
}
?>

 

login page code

//initialize the session
session_start();

//connect to database
include'db.php';

//trims and strips tags and escapes fields
$checkuser = trim(strip_tags($_POST['username']));
$checkpassword = trim(strip_tags($_POST['password']));

mysqli_real_escape_string($mysqli,$checkuser);
$_SESSION['password'] = mysqli_real_escape_string($mysqli,$checkpassword);

//create and issue the query
$sql = "SELECT username, f_name, l_name FROM employees WHERE username = '$checkuser' AND password = sha1('$checkpassword') LIMIT 1";
$result = mysqli_query($mysqli, $sql);

//get the number of rows in the result set; should be 1 if a match
if (mysqli_num_rows($result) == 1) {

//if authorized, get the values of f_name l_name
while ($info = mysqli_fetch_array($result)) {
	$f_name = stripslashes($info['f_name']);
	$l_name = stripslashes($info['l_name']);
	$username = stripslashes($info['username']);
}
//set authorization cookie
setcookie("auth", "1", 0, "/", "rwwww.com", 0);
$_SESSION['usersname'] = $f_name . " " . $l_name;
    $_SESSION['validate'] = $username;

//get last successful login
$last_login = ("SELECT DATE_FORMAT(last_login,  '%b %e %Y at %r') aS last_login FROM employees WHERE username = '$checkuser' LIMIT 1");
$result = mysqli_query($mysqli, $last_login);
$result_login = mysqli_fetch_assoc($result);
$_SESSION['login'] = $result_login["last_login"];

//record last login
    $sql2 = "UPDATE employees SET last_login=NOW() WHERE username = '$checkuser' LIMIT 1";   
    mysqli_query($mysqli,$sql2);

//clears failed logins
$sql3 = "UPDATE employees SET failed_logins = 0 WHERE username = '$checkuser' LIMIT 1";
mysqli_query($mysqli, $sql3);

//sets session to identify
$_SESSION['identity'] = $checkuser;

//close connection to MySQL
mysqli_close($mysqli);

//sets login timer
$current_time = time(); // get the current time
    $_SESSION['loginTime']=$current_time; // login time
    $_SESSION['lastActivity']=$current_time; // last activity

//directs authorized user
header("Location: resource.php");
exit(); 

[per1os]

I did not think MD5 or SHA1 was decryptable unless you are using a specialized function. They are generally 1 way hashes. To check if passwords match you usually take the user entered password from the form and hash it up and check it against the md5/sha1 hash.

[cluce]

I did not think MD5 or SHA1 was decryptable unless you are using a specialized function. They are generally 1 way hashes. To check if passwords match you usually take the user entered password from the form and hash it up and check it against the md5/sha1 hash.

        yes,  I use a website that does decryption for you.  just to see what was going on with my code.

 

http://www.md5encryption.com/?mod=decrypt

 

I thought I have this done"To check if passwords match you usually take the user entered password from the form and hash it up and check it against the md5/sha1 hash." its just not working it says invalid password/username combo

[per1os]

The issue could lie within the fact that your mysql server may be setup to seed the hashes a certain way. I would use php functions to hash up the string instead of mysql, as it will be more efficient and less of a toll on your server and see if that helps you out.

[cluce]

The issue could lie within the fact that your mysql server may be setup to seed the hashes a certain way. I would use php functions to hash up the string instead of mysql, as it will be more efficient and less of a toll on your server and see if that helps you out.

can you please elaborate on this? im not sure what yuo mean? I though I was using php functions but I was stoiring it in mySQL in a table in a hash form.  Unless you mean dont store it in the table in a hash form but only when using the passwords in the php script. Is this what you mean??  If so wouldn't that be insecure??

[per1os]

The issue could lie within the fact that your mysql server may be setup to seed the hashes a certain way. I would use php functions to hash up the string instead of mysql, as it will be more efficient and less of a toll on your server and see if that helps you out.

can you please elaborate on this? im not sure what yuo mean? I though I was using php functions but I was stoiring it in mySQL in a table in a hash form.  Unless you mean dont store it in the table in a hash form but only when using the passwords in the php script. Is this what you mean??  If so wouldn't that be insecure??

 

Umm no.

 

www.php.net/md5

www.php.net/sha1

 

PHP has built in functions.

 

Instead of:

<?php
mysql_query("INSERT INTO user (`pass`) VALUES (sha1('$password'));");
?>

 

It would be :

 

<?php
mysql_query("INSERT INTO user (`pass`) VALUES ('" . sha1($password) . "');");
?>

 

That way you use PHP to do the dirty work and not MySQL.

[cluce]

well in another project....... I have a user registration page that registers users passwords in sha1 hash in the table and it works fine. users can login through an sql query that matches the sha1 password just fine. 

I think it may be something to do with the update query and csv file in the loop code. It might be hashing a blank space or something I dont know about???  But I dont know whats going on because the loop code works fine without the sha1 function but the whole purpose of this was for me to store the users(about 300) passwords in a table in hash form.  I did replace my password string with the one in your example and it doesnt work either. 

[per1os]

well in another project....... I have a user registration page that registers users passwords in sha1 hash in the table and it works fine. users can login through an sql query that matches the sha1 password just fine. 

I think it may be something to do with the update query and csv file in the loop code. It might be hashing a blank space or something I dont know about???  But I dont know whats going on because the loop code works fine without the sha1 function but the whole purpose of this was for me to store the users(about 300) passwords in a table in hash form.  I did replace my password string with the one in your example and it doesnt work either. 

 

It may not be able to be decrypted by that function but it will definitely increase your MySQL performance not making MySQL hash up the password. That was the goal.

 

As for decrypting it, I am sure that PHP or MySQL has something setup (or maybe apache?) that adds their own seeds to the hash. If the md5 function or sha1 function have been seeded in a way than that md5encryption site is useless as it can only decrypt hashes that have not been seeded.

 

 

[cluce]

well thanks for the performance tip. as far as the decryption part. I dont know whats going on. I guess I will have to troubleshoot some more later. im punching out for today.

[cluce]

well in another project....... I have a user registration page that registers users passwords in sha1 hash in the table and it works fine. users can login through an sql query that matches the sha1 password just fine. 

I think it may be something to do with the update query and csv file in the loop code. It might be hashing a blank space or something I dont know about???  But I dont know whats going on because the loop code works fine without the sha1 function but the whole purpose of this was for me to store the users(about 300) passwords in a table in hash form.  I did replace my password string with the one in your example and it doesnt work either. 

 

It may not be able to be decrypted by that function but it will definitely increase your MySQL performance not making MySQL hash up the password. That was the goal.

 

As for decrypting it, I am sure that PHP or MySQL has something setup (or maybe apache?) that adds their own seeds to the hash. If the md5 function or sha1 function have been seeded in a way than that md5encryption site is useless as it can only decrypt hashes that have not been seeded.

 

OK I understand all of this.  But can you give me any suggestions why a user can't logon when I use the loop code to import the passwords (in the csv file) through sha1 but they can login when I import the passwords without the sha1 function?? Im lost here???

[per1os]

Are you sha1 the user input to check against the database?

 

<?php
$dbpassword = sha1("testtext");
$password = "testtext";
$sha1_pass = sha1($password);

if ($password == $dbpassword) {
       echo 'This should never happen as regular text is being tested against sha1 encrypted text';
}elseif ($sha1_pass == $dbpassword) {
       echo 'This should work as you are testing an sha1 hashed password vs another sha1 hashed password';
}
?>

 

As an example.

[redarrow]

if you dont post with md5 or sha1 then they wont get in will they try it.

[cluce]

well this what ive used in the past for login and it worked. but this was done with a registration page and the sha1 was in an insert statement through a POST method.

 

Now im using an UPDATE statement in a loop to read a csv file to update their passwords to sha1..if this makes a difference???

//connect to database
include'db.php';

//trims and strips tags and escapes fields
$checkuser = trim(strip_tags($_POST['username']));
$checkpassword = trim(strip_tags($_POST['password']));

mysqli_real_escape_string($mysqli,$checkuser);
$_SESSION['password'] = mysqli_real_escape_string($mysqli,$checkpassword);

//create and issue the query
$sql = "SELECT username, f_name, l_name FROM employees WHERE username = '$checkuser' AND password = sha1('$checkpassword') LIMIT 1";
$result = mysqli_query($mysqli, $sql);

I am trying some alternatives right now.

[xyn]

Ok, another thing you could try is this function;

Basically using MD5 and SHA1. it will set passwords

as a unique ID. which means, Not only will bots who

match md5 strings fail to do so.

 

identical passwords will look completely different.

 

<?php

define('SALT_LENGTH', 9);

function genHash($Text, $salt = null)
{
    if ($salt === null)
    {
        $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
    }
    else
    {
        $salt = substr($salt, 0, SALT_LENGTH);
    }

    return $salt . sha1($salt . $Text);
}

?>

 

Finally to use this.

 

Set a password hash by:  genHash($password);

Check/Match a hask    :  genHash($password, 1);

[cluce]

"Ok, another thing you could try is this function;

Basically using MD5 and SHA1. it will set passwords

as a unique ID. which means, Not only will bots who

match md5 strings fail to do so."

.......thankks for the SALT code but I dont think this will solve my problem. which the user can't logon when I use the loop code to import the passwords (in the csv file) through sha1 but when I import the passwords without the sha1 function it works?? Im lost here??? And I am matching the passwords [password input]sha1()=[database password]sha1()

 

[cluce]

I solved this. All needed to do was change my varchar type to 50 so it can handle the hash in the table properly. thats why I couldnt decrypt at that site it or logon. thx for your help. I learned alot and still do in this forum  

[Yesideez]

MD5 is always 32 chars - why 50?

[per1os]

I think SHA1 is different.

[Yesideez]

SHA1 appears to be 40 characters although I've never used it and don't know if SHA1 varies in length.

[cluce]

I am sure 32 works. its just a habit. I never thought to much about it. I just used 50 for mostly everything.  I will probably change it. yes, I think sha1 might be 64 or somehting I will look it up.