[SOLVED] Secure login and MD5 and Salt

[AdRock]

I have been trying to find a secure login script example and have come across one http://www.olate.co.uk/articles/185 which looks better than other I have found.

 

The thing is that I created my user table ages ago and now there is an extra field called salt.  i can add an extra field but the passwords that are already stored in the database are just using md5 whereas this article uses the md5 of the password combined with the salt and md5'd again

// Salt Generator
function generate_salt ()
{ 
    // Declare $salt
    $salt = '';

    // And create it with random chars
    for ($i = 0; $i < 3; $i++)
    { 
         $salt .= chr(rand(35, 126)); 
    } 
         return $salt;
}

function user_register($username, $password)
{
    // Get a salt using our function
    $salt = generate_salt();

    // Now encrypt the password using that salt
    $encrypted = md5(md5($password).$salt);

    // And lastly, store the information in the database
    $query = "insert into user (username, password, salt) values ('$username', '$encrypted', '$salt')";
    mysql_query ($query) or die ('Could not create user.');
}

 

Becuase I don't know what the users passwords are, is there any way I can do what is mentioned here in the functions using the md5 password that is already stored in the database?  This is becuase of the login function

function user_login($username, $password)
{
    // Try and get the salt from the database using the username
    $query = "select salt from user where username='$username' limit 1";
    $result = mysql_query($query);
    $user = mysql_fetch_array($result);

    // Using the salt, encrypt the given password to see if it 
    // matches the one in the database
    $encrypted_pass = md5(md5($password).$user['salt']);

    // Try and get the user using the username & encrypted pass
    $query = "select userid, username from user where username='$username' and password='$encrypted_pass'";
    $result = mysql_query($query);
    $user = mysql_fetch_array($result);
    $numrows = mysql_num_rows($result);

    // Now encrypt the data to be stored in the session
    $encrypted_id = md5($user['userid']);
    $encrypted_name = md5($user['username']);

    // Store the data in the session
    $_SESSION['userid'] = $userid;
    $_SESSION['username'] = $username;
    $_SESSION['encrypted_id'] = $encrypted_id;
    $_SESSION['encrypted_name'] = $encrypted_name;


   if ($numrows == 1)
   {
       return 'Correct';
   }
   else
   {
       return false;
   }
}

 

I understand the reason for this is that if the sessions are altered by somebody they won't be allowed access to unauthorised areas.

[Azu]

Maybe alter your script to not use a salt if the salt field is empty in the database.

[AdRock]

I was just trying things out and i wrote this to see if i could get the md5 password out of the database and add the salt value to it which all works perfectly.

 

<?php 

include("init.php");

$salt = generate_salt();

$sql = mysql_query("SELECT * FROM users WHERE username='AdRock'");

while($row = mysql_fetch_array($sql)){

    $password = $row['password'];
    $encrypted = md5($password.$salt);
    if(mysql_query("UPDATE 'users' SET 'password'='$encrypted', 'salt'='$salt' WHERE username='AdRock'")){
echo "done";
    } else {
echo"not done";
    }
}
?>

 

The thing is when I try to update the database it echoes 'not done'.

 

Is there something wrong with my SQL syntax or is it becuase the field called salt is a CHAR(3) field instead of a VARCHAR(3)>  i did try changing the field type but it always goes back to CHAR

[dbo]

UPDATE `users` SET `password`='$encrypted', `salt`='$salt' WHERE `username`='AdRock'

[Azu]

Oh you can salt an md5 that has already been generated? Cool.