Technex Posted July 18, 2007 Share Posted July 18, 2007 Hey guys I've been updating my site's security and I've found a strange error. My login script uses this: $db_password = hash('sha512','$password'); Which works but for some reason when checking against the MySQL database it cuts off the encrypted password because it's to long I guess? $login = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '$db_password'"); It's set full from register $db_regpassword = hash('sha512','$regpassword'); and is correct in the MySQL database. It just cuts it off to short when a user goes to log in. I echo'ed db_password and found out that way. I also echo'ed the password to find out what it should be using this: $findoutthepass= hash('sha512',test1); echo $findoutthepass; Thanks - Technex. Quote Link to comment Share on other sites More sharing options...
lewis987 Posted July 18, 2007 Share Posted July 18, 2007 well, why not try SHA256 or SHA128? i dont think it is because it is to long and make sure that your database table is long enough to contain all characters ill try on my own server to see where your problem lies Quote Link to comment Share on other sites More sharing options...
Technex Posted July 18, 2007 Author Share Posted July 18, 2007 Because sha512 is more secure and also it should work. Thank you very much . Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted July 18, 2007 Share Posted July 18, 2007 Do you have the field that stores the password set to 40 characters? That is how long the Sha1 hash is, so if you don't, then it is cutting it off and you need to set it to 40 chars. Quote Link to comment Share on other sites More sharing options...
Technex Posted July 18, 2007 Author Share Posted July 18, 2007 Do you have the field that stores the password set to 40 characters? That is how long the Sha1 hash is, so if you don't, then it is cutting it off and you need to set it to 40 chars. Yep it shows up correct in MySQL. Same as my echo'ed "test1" encryption. It's VARCHAR and set to a very large number like 50000 to make sure it's not the limit. Quote Link to comment Share on other sites More sharing options...
lewis987 Posted July 18, 2007 Share Posted July 18, 2007 here is my code for a VERY basic login script: <?PHP //Fill with your own data $dbhost = ""; $dbuser = ""; $dbpass = ""; $dbname = ""; $user_tbl = ""; mysql_connect($dbhost,$dbuser,$dbpass) or die (mysql_error()); mysql_select_db($dbname) or die(mysql_error()); if($_POST['login']){ $pass = hash('sha512',$_POST['pass']); $user = $_POST['user']; $sql = "SELECT * FROM $user_tbl WHERE username = '$user' AND password = '$pass'"; $query = mysql_query($sql); if(mysql_num_rows($query) != 1){ echo "User not found"; } else { echo "User Found!"; } } else { ?> <form action="" method="post"> <input name="user" type="text" /> <input name="pass" type="password" /> <input name="login" type="submit" /> </form> <?PHP } mysql_close(); ?> Quote Link to comment Share on other sites More sharing options...
Technex Posted July 19, 2007 Author Share Posted July 19, 2007 Thanks lewis, sorry for going offline earlier I forgot my laptop was on . Well I've been messing around and I'm 90% sure it's PHP that's not sending the whole password... Okay if I do this it works fine. $db_password = hash('sha512','test1'); That proves that it's not encrypting the password from the form right? It works if I do this: $db_password = hash('sha512',$_POST['password']); But that's a security risk. I want to be able to do this: $password = ''; Blank out the password if(isset ($_POST['password']) && $_POST['password'] != '') If there posted $password = $_POST['password']; Get pass from form $password = mysql_real_escape_string($password); Remove all bad stuff from form Help please . Quote Link to comment Share on other sites More sharing options...
Technex Posted July 19, 2007 Author Share Posted July 19, 2007 Bump, please guys . Quote Link to comment Share on other sites More sharing options...
Technex Posted July 19, 2007 Author Share Posted July 19, 2007 Like really, thanks. Please. Quote Link to comment Share on other sites More sharing options...
lewis987 Posted July 19, 2007 Share Posted July 19, 2007 well, can you post or send me the code? ill take a look over it Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted July 19, 2007 Share Posted July 19, 2007 Just do something like this: <?php if (isset($_POST['submit_form'])){ if (isset($_POST['password'])){ $password = mysql_real_escape_string($_POST['password']); $password = hash('sha512','$password'); } } ?> Now your password is okay to put into the database. Also, set the password field in your database to int(40). Quote Link to comment Share on other sites More sharing options...
lewis987 Posted July 19, 2007 Share Posted July 19, 2007 sorry to say this pocobueno1388, but SHA512 is 128 characters long, and is alpha-numeric. Just to tell ya Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted July 19, 2007 Share Posted July 19, 2007 Oops, I was reading about Sha1 in the PHP manuel, sorry. So is the problem still that it is cutting off some of the password when you insert it into the database? Can you post your code? Quote Link to comment Share on other sites More sharing options...
Technex Posted July 19, 2007 Author Share Posted July 19, 2007 Yeah INT is number only right? And the string is 128 when correctly entered in MySQL. $password = ''; if(isset ($_POST['password']) && $_POST['password'] != '') $password = $_POST['password']; Get pass from form $password = mysql_real_escape_string($password); (doesn't work with this removed) $password = hash('sha512','$password'); That's the same as what you've posted. Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted July 19, 2007 Share Posted July 19, 2007 And the string is 128 when correctly entered in MySQL. So you have got it to work at one point? I don't understand what the current problem is...what do you want us to help you with? I'm assuming that it is still cutting the password off... Post your entire code. The form, the query where you insert the password, everything. Quote Link to comment Share on other sites More sharing options...
Technex Posted July 19, 2007 Author Share Posted July 19, 2007 And the string is 128 when correctly entered in MySQL. So you have got it to work at one point? I don't understand what the current problem is...what do you want us to help you with? I'm assuming that it is still cutting the password off... Post your entire code. The form, the query where you insert the password, everything. I've already told you the problem, besides my site's down atm. It just cuts it off to short when a user goes to log in. I echo'ed db_password and found out that way. I also echo'ed the password to find out what it should be using this: $findoutthepass= hash('sha512',test1); echo $findoutthepass; Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.