Jump to content

problems with SHA1 and a register/login file.


ZimmerX

Recommended Posts

Hey, I am getting a couple of errors with a register/login file for a site.

 

Apache version 1.3.39 (Unix)

PHP version 5.2.4

MySQL version 5.0.27-standard

 

The problems are the following-

I added the SHA1 encryption for the passwords, but not, even thought it encrypts, the email column in the MYSQL database does not appear. Meaning there must be another way to encrypt the password properly in the file.

Second problem is that the file keeps inserting blank columns into the table of USERS - i.e without any information - so instead of telling me exactly how many users I have, it has like an extra 50 rows of blank info. So something is wrong on the insertion.

I have realised that this file has been pretty weirdly coded. So if someone could help me iron out these 2 large errors, I would be forever grateful.

 

Here is the code

<?
require_once("core/mailer.php");

class module extends controller {

    var $params = array("act");
    var $isNeedMysql = true;


    function createAnonymus() {
        $this->db->query("INSERT INTO "._DB_TABLE_PREFIX."users (email, password) VALUES ('','')");
        return $this->db->getLastId();
    }                                                                                


    function run() {
        $user_id = isset($_REQUEST['user_id']) ? getSafeStr($_REQUEST['user_id']) : null;
        $email = isset($_REQUEST['email']) ? getSafeStr($_REQUEST['email']) : null;
        $password = isset($_REQUEST['password']) ? getSafeStr($_REQUEST['password']) : null;
			$password = sha1($password);

        switch($this->act) {
            case "start_anonymus":
                if($user_id) {
                    $res = $this->db->query("SELECT id FROM "._DB_TABLE_PREFIX."users WHERE id = '".$user_id."' AND email = '' AND password = '' LIMIT 1");
                    if($res) {
                        $res_id = $res["id"];
                    } else {
                        $res_id = $this->createAnonymus();
                    }
                } else {
                    $res_id = $this->createAnonymus();
                }
                $_SESSION['user_id'] = $res_id;
                return array("status" => "start_result", 
                             "user" => array("id" => $res_id, 
                                             "email" => "", 
                                             "password" => ""));
                break;



            case "start_user":
                if($email && $password) {
                    if($res = $this->db->query("SELECT id FROM "._DB_TABLE_PREFIX."users WHERE email='".$email."' AND password='".$password."' LIMIT 1")) {
                        $_SESSION['user_id'] = $res["id"];
                        return array("status" => "start_result", 
                                     "user" => array("id" => $res["id"], 
                                                     "email" => $email, 
                                                     "password" => $password ) );
                    } 
                }
                $res_id = $this->createAnonymus();
                $_SESSION['user_id'] = $res_id;
                return array("status" => "start_result", 
                             "user" => array("id" => $res_id, 
                                             "email" => "", 
                                             "password" => ""));
                break;



            case "login_user":
                if(!$email || !$password) {
                    return false;
                }
                $sql = "
                    SELECT 
                        id, email
                    FROM 
                        "._DB_TABLE_PREFIX."users 
                    WHERE 
                        email='".$email."' AND password='".$password."' 
                    LIMIT 1";
                $res = $this->db->query($sql);
                if(isset($res["id"])) {
                    $_SESSION['user_id'] = $res["id"];
                    return array("status" => "login_ok", 
                                 "user" => array("id" => $res["id"], 
                                                 "email"=>$email, 
                                                 "password"=>$password ) );
                } else {
                    return array("status" => "login_error");
                }
                break;



            case "register_user":
                if(!$email || !$password) {
                    return false;
                }
                $sql = "
                    SELECT 
                        id, email, password
                    FROM
                        "._DB_TABLE_PREFIX."users
                    WHERE
                        email='".$email."'
                    LIMIT 1";
                $res = $this->db->query($sql);
                if(isset($res["id"])) {
                    return array("status" => "register_error");
                } else {
                    $sql = "
                        UPDATE 
                            "._DB_TABLE_PREFIX."users 
                        SET 
                            email = '".$email."', 
                            password = '".$password."' 
                        WHERE 
                            id = '".$this->user_id."'
                        LIMIT 1";

                    $this->db->query($sql);

                    $m = new Mailer;
                    $m->email = $email;
                    $m->pwd = $password;
                    $m->server = $_SERVER["SERVER_NAME"];
                    $m->compose("templates/mail/registration");
                    $m->send($email);

                    return array("status" => "register_ok", 
                                 "user" => array("id" => $this->user_id, 
                                                 "email" => $email, 
                                                 "password" => $password) );
                }
                break;


            case "logout":
                session_destroy();
                return array("status" => "logout_ok");                
                break;


            case "remind_pwd":
                if($email) {
                    $sql = "
                        SELECT
                            id, password
                        FROM
                            "._DB_TABLE_PREFIX."users
                        WHERE
                            email='".$email."'
                        LIMIT 1";

                    $res = $this->db->query($sql);
                    if(isset($res["id"])) {
                        $m = new Mailer;
                        $m->pwd = $res["password"];
                        $m->compose("templates/mail/password_recovery");
                        $m->send($email);
                    }
                }
                return array("status" => "pwd_sent");
                break;
        }
    }

}
?>

 

As you can see, I have tried to insert the encryption for the passwords, but this method worked so far as to enrypt the password but not to identify the email.

 

Thanks a lot.

Link to comment
Share on other sites

Try setting the columns to not null and make sure no default value is set.

This should fix your problem with blank values being inserted.

 

Also, you really shouldn't be storing the e-mails as a hash unless you don't mind not being able to e-mail them. The whole point of storing a hash of something is to make it impossible (or at least very hard) to ever find out what it is.

 

Also note that SHA1 is a hashing algorithm, which has nothing whatsoever to do with encryption; when you encrypt data, you can later decrypt it.

Link to comment
Share on other sites

Try setting the columns to not null and make sure no default value is set.

This should fix your problem with blank values being inserted.

 

Also, you really shouldn't be storing the e-mails as a hash unless you don't mind not being able to e-mail them. The whole point of storing a hash of something is to make it impossible (or at least very hard) to ever find out what it is.

 

Also note that SHA1 is a hashing algorithm, which has nothing whatsoever to do with encryption; when you encrypt data, you can later decrypt it.

Thanks for the first bit of input.

As for your second comment, I never wanted to hash emails. If you look a bit further down the code, you will see that I am trying to hash the password. Not the email. But with the code I added in to hash the password, the email row in the table does not register properly when someone registers - i.e the "email" row is blank while the password is encrypted successfully.

Link to comment
Share on other sites

Also, I have noticed that this is not how it should be

} else {

                    $sql = "

                        UPDATE

                            "._DB_TABLE_PREFIX."users

                        SET

                            email = '".$email."',

                            password = '".$password."'

                        WHERE

                            id = '".$this->user_id."'

                        LIMIT 1";

Instead of UPDATE, it should be INSERT. Right? If I changed this, would anything actually happen?

Link to comment
Share on other sites

The code you posted

                        UPDATE

                            "._DB_TABLE_PREFIX."users

                        SET

                            email = '".$email."',

                            password = '".$password."'

                        WHERE

                            id = '".$this->user_id."'

                        LIMIT 1";

is NOT for inserting values. It is for updating them. Try replace that word "update" with "insert" and see for yourself. It will error out.
Link to comment
Share on other sites

Ok. Now it isn't working.

This is what I did :

I created a new column in MYSQL, named "sha_password".

I copied the values from the column Password over to sha_password and hashed them.

Now, this is the PHP code

<?
require_once("core/mailer.php");

class module extends controller {

    var $params = array("act");
    var $isNeedMysql = true;


    function createAnonymus() {
        $this->db->query("INSERT INTO "._DB_TABLE_PREFIX."users (email, sha_password) VALUES ('','')");
        return $this->db->getLastId();
    }                                                                                


    function run() {
        $user_id = isset($_REQUEST['user_id']) ? getSafeStr($_REQUEST['user_id']) : null;
        $email = isset($_REQUEST['email']) ? getSafeStr($_REQUEST['email']) : null;
        $password = isset($_REQUEST['password']) ? getSafeStr($_REQUEST['password']) : null;
	$password = sha1($password);


        switch($this->act) {
            case "start_anonymus":
                if($user_id) {
                    $res = $this->db->query("SELECT id FROM "._DB_TABLE_PREFIX."users WHERE id = '".$user_id."' AND email = '' AND sha_password = '' LIMIT 1");
                    if($res) {
                        $res_id = $res["id"];
                    } else {
                        $res_id = $this->createAnonymus();
                    }
                } else {
                    $res_id = $this->createAnonymus();
                }
                $_SESSION['user_id'] = $res_id;
                return array("status" => "start_result", 
                             "user" => array("id" => $res_id, 
                                             "email" => "", 
                                             "sha_password" => ""));
                break;



            case "start_user":
                if($email && $password) {
                    if($res = $this->db->query("SELECT id FROM "._DB_TABLE_PREFIX."users WHERE email='".$email."' AND sha_password='".$password."' LIMIT 1")) {
                        $_SESSION['user_id'] = $res["id"];
                        return array("status" => "start_result", 
                                     "user" => array("id" => $res["id"], 
                                                     "email" => $email, 
                                                     "sha_password" => $password ) );
                    } 
                }
                $res_id = $this->createAnonymus();
                $_SESSION['user_id'] = $res_id;
                return array("status" => "start_result", 
                             "user" => array("id" => $res_id, 
                                             "email" => "", 
                                             "sha_password" => ""));
                break;



            case "login_user":
                if(!$email || !$password) {
                    return false;
                }
                $sql = "
                    SELECT 
                        id, email
                    FROM 
                        "._DB_TABLE_PREFIX."users 
                    WHERE 
                        email='".$email."' AND sha_password='".$password."' 
                    LIMIT 1";
                $res = $this->db->query($sql);
                if(isset($res["id"])) {
                    $_SESSION['user_id'] = $res["id"];
                    return array("status" => "login_ok", 
                                 "user" => array("id" => $res["id"], 
                                                 "email"=>$email, 
                                                 "sha_password"=>$password ) );
                } else {
                    return array("status" => "login_error");
                }
                break;



            case "register_user":
                if(!$email || !$password) {
                    return false;
                }
                $sql = "
                    SELECT 
                        id, email, sha_password
                    FROM
                        "._DB_TABLE_PREFIX."users
                    WHERE
                        email='".$email."'
                    LIMIT 1";
                $res = $this->db->query($sql);
                if(isset($res["id"])) {
                    return array("status" => "register_error");
                } else {
                    $sql = "
                        UPDATE 
                            "._DB_TABLE_PREFIX."users 
                        SET 
                            email = '".$email."', 
                            sha_password = '".$password."' 
                        WHERE 
                            id = '".$this->user_id."'
                        LIMIT 1";

                    $this->db->query($sql);

                    $m = new Mailer;
                    $m->email = $email;
                    $m->pwd = $password;
                    $m->server = $_SERVER["SERVER_NAME"];
                    $m->compose("templates/mail/registration");
                    $m->send($email);

                    return array("status" => "register_ok", 
                                 "user" => array("id" => $this->user_id, 
                                                 "email" => $email, 
                                                 "sha_password" => $password) );
                }
                break;


            case "logout":
                session_destroy();
                return array("status" => "logout_ok");                
                break;


            case "remind_pwd":
                if($email) {
                    $sql = "
                        SELECT
                            id, sha_password
                        FROM
                            "._DB_TABLE_PREFIX."users
                        WHERE
                            email='".$email."'
                        LIMIT 1";

                    $res = $this->db->query($sql);
                    if(isset($res["id"])) {
                        $m = new Mailer;
                        $m->pwd = $res["password"];
                        $m->compose("templates/mail/password_recovery");
                        $m->send($email);
                    }
                }
                return array("status" => "pwd_sent");
                break;
        }
    }

}
?>

 

That SHOULD WORK. I changed all the MYSQL column values from password to sha_password. So tell me, why is it not working?

 

The code I used in the MYSQL was this following

UPDATE users SET sha_password = SHA1(password) WHERE 1 = 1

After creating the new column ( orginally got from here http://www.phpfreaks.com/forums/index.php/topic,168839.msg744667.html )

All the MYSQL worked, but the PHP doesn't.

 

I log in with the correct details, and it loads the page, but I am signed out again. I tested to see if the user was the problem, but it wasn't because it correctly detects if the user exists or not. I don't understand where I have gone wrong. :(

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.