hash('sha512','$password'); to large to select in MySQL?

[Technex]

Hey guys I've been updating my site's security and I've found a strange error.

 

My login script uses this:

 

$db_password = hash('sha512','$password');

 

Which works but for some reason when checking against the MySQL database it cuts off the encrypted password because it's to long I guess?

 

$login = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$db_password'");

 

It's set full from register $db_regpassword = hash('sha512','$regpassword'); and is correct in the MySQL database. It just cuts it off to short when a user goes to log in.

 

I echo'ed db_password and found out that way.

 

I also echo'ed the password to find out what it should be using this:

 

$findoutthepass= hash('sha512',test1);

echo $findoutthepass;

 

Thanks - Technex.

[lewis987]

well, why not try SHA256 or SHA128? i dont think it is because it is to long and make sure that your database table is long enough to contain all characters

 

ill try on my own server to see where your problem lies

[Technex]

Because sha512 is more secure and also it should work.

 

Thank you very much .

[pocobueno1388]

Do you have the field that stores the password set to 40 characters? That is how long the Sha1 hash is, so if you don't, then it is cutting it off and you need to set it to 40 chars.

[Technex]

Do you have the field that stores the password set to 40 characters? That is how long the Sha1 hash is, so if you don't, then it is cutting it off and you need to set it to 40 chars.

 

Yep it shows up correct in MySQL. Same as my echo'ed "test1" encryption. It's VARCHAR and set to a very large number like 50000 to make sure it's not the limit.

[lewis987]

here is my code for a VERY basic login script:

<?PHP
//Fill with your own data
$dbhost = "";
$dbuser = "";
$dbpass = "";
$dbname = "";
$user_tbl = "";

mysql_connect($dbhost,$dbuser,$dbpass) or die (mysql_error());
mysql_select_db($dbname) or die(mysql_error());

if($_POST['login']){
$pass = hash('sha512',$_POST['pass']);
$user = $_POST['user'];
$sql = "SELECT * FROM $user_tbl WHERE username = '$user' AND password = '$pass'";
$query = mysql_query($sql);
if(mysql_num_rows($query) != 1){
	echo "User not found";
} else {
	echo "User Found!";
}
}
else
{
?>
<form action="" method="post">
<input name="user" type="text" />
<input name="pass" type="password" />
<input name="login" type="submit" />
</form>
<?PHP
}
mysql_close();
?>

[Technex]

Thanks lewis, sorry for going offline earlier I forgot my laptop was on .

 

Well I've been messing around and I'm 90% sure it's PHP that's not sending the whole password...

 

Okay if I do this it works fine.

 

$db_password = hash('sha512','test1');

 

That proves that it's not encrypting the password from the form right?

 

It works if I do this:

 

$db_password = hash('sha512',$_POST['password']);

 

But that's a security risk. I want to be able to do this:

 

$password = ''; Blank out the password

 

 

if(isset ($_POST['password']) && $_POST['password'] != '') If there posted

$password = $_POST['password']; Get pass from form

 

$password = mysql_real_escape_string($password); Remove all bad stuff from form

 

Help please .

[Technex]

Bump, please guys .

[Technex]

Like really, thanks.

 

 

Please.

[lewis987]

well, can you post or send me the code? ill take a look over it

[pocobueno1388]

Just do something like this:

 

<?php

if (isset($_POST['submit_form'])){
   if (isset($_POST['password'])){
      $password = mysql_real_escape_string($_POST['password']);
      $password = hash('sha512','$password');
   }
}

?>

 

Now your password is okay to put into the database. Also, set the password field in your database to int(40).

 

 

[lewis987]

sorry to say this pocobueno1388, but SHA512 is 128 characters long, and is alpha-numeric. Just to tell ya

[pocobueno1388]

Oops, I was reading about Sha1 in the PHP manuel, sorry.

 

So is the problem still that it is cutting off some of the password when you insert it into the database? Can you post your code?

 

[Technex]

Yeah INT is number only right? And the string is 128 when correctly entered in MySQL.

 

$password = '';

 

if(isset ($_POST['password']) && $_POST['password'] != '')

$password = $_POST['password']; Get pass from form

 

$password = mysql_real_escape_string($password); (doesn't work with this removed)

 

$password = hash('sha512','$password');

 

That's the same as what you've posted.

[pocobueno1388]

And the string is 128 when correctly entered in MySQL.

 

So you have got it to work at one point? I don't understand what the current problem is...what do you want us to help you with? I'm assuming that it is still cutting the password off...

 

Post your entire code. The form, the query where you insert the password, everything.

[Technex]

And the string is 128 when correctly entered in MySQL.

 

So you have got it to work at one point? I don't understand what the current problem is...what do you want us to help you with? I'm assuming that it is still cutting the password off...

 

Post your entire code. The form, the query where you insert the password, everything.

 

I've already told you the problem, besides my site's down atm.

 

It just cuts it off to short when a user goes to log in.

 

I echo'ed db_password and found out that way.

 

I also echo'ed the password to find out what it should be using this:

 

$findoutthepass= hash('sha512',test1);

echo $findoutthepass;