php - Logging in issues with salt and hash -
on registration page have used sha1 has , salt store passwords in database. think have done correctly when check database has salt included. how have done it.
$newpassword = $_post['password'] ; if (!empty($newpassword)) { //escape bad characters //$newuser = mysql_real_escape_string($newuser); //remove leading , trailing whitespace $newpassword = trim($newpassword); $newpassword = sha1($newpassword); $salt = '-45dfehk/__yu349@-/klf21-1_\/4jkup/4'; } else die ("error: enter password"); and input is
$query = "insert members (memberfirstname, membersecondname, memberemailaddress, memberpassword, memberaddress, memberpostcode) values ('$newfirstname', '$newsecondname', '$newemailaddress', '$newpassword$salt', '$newaddress', '$newpostcode')"; my problem lays when try login. im unsure on how remove salt , unhash password (if needs done). can enter email address , paste hash , salt password field , can login.
this script log in.
<?php include 'db.inc'; session_start(); $useremail =$_post["emailaddress"]; $userpassword =$_post["password"]; $query = "select * members memberemailaddress = '$useremail' , memberpassword = '$userpassword' "; $connection = mysql_connect($hostname, $username, $password) or die ("unable connect!"); mysql_select_db($databasename) or die ("unable select database!"); $result = mysql_query($query) or die ("error in query: $query. ".mysql_error()); // see if rows returned if (mysql_num_rows($result) > 0) { $_session["authenticateduser"] = $useremail; // relocate logged-in page header("location: index.php"); } else { $_session["message"] = "could not connect log in $useremail " ; header("location: login.php"); } mysql_free_result($result); mysql_close($connection); ?>
there several problems approach. first don't use salt @ all, stored not used. second salt should unique each password, in case static salt used, pepper not salt. further use fast hash algorithm, can brute-forced ways fast, instead should switch hash algorithm cost factor bcrypt or pbkdf2.
php has function hash passwords (maybe need compatibility pack):
// hash new password storing in database. // function automatically generates cryptographically safe salt. $hashtostoreindb = password_hash($password, password_bcrypt); // check if hash of entered login password, matches stored hash. // salt , cost factor extracted $existinghashfromdb. $ispasswordcorrect = password_verify($password, $existinghashfromdb); because function generates safe salt on own , attaches resulting hash-value, cannot check password sql directly. instead query stored hash (by username), can verify entered password stored one. wrote tutorial tried explain important points more indepth.
Comments
Post a Comment