php - Logging in issues with salt and hash -

-

on registration page have used sha1 has , salt store passwords in database. think have done correctly when check database has salt included. how have done it.

$newpassword = $_post['password'] ;   if (!empty($newpassword)) {   //escape bad characters   //$newuser = mysql_real_escape_string($newuser);   //remove leading , trailing whitespace   $newpassword = trim($newpassword);   $newpassword = sha1($newpassword);   $salt = '-45dfehk/__yu349@-/klf21-1_\/4jkup/4';  } else die ("error: enter password");

and input is

    $query = "insert members (memberfirstname, membersecondname, memberemailaddress, memberpassword, memberaddress, memberpostcode) values ('$newfirstname', '$newsecondname', '$newemailaddress', '$newpassword$salt', '$newaddress', '$newpostcode')";

my problem lays when try login. im unsure on how remove salt , unhash password (if needs done). can enter email address , paste hash , salt password field , can login.

this script log in.

<?php include 'db.inc'; session_start(); $useremail =$_post["emailaddress"];  $userpassword =$_post["password"];  $query = "select * members memberemailaddress = '$useremail'           ,  memberpassword = '$userpassword' ";   $connection = mysql_connect($hostname, $username, $password) or die ("unable connect!");  mysql_select_db($databasename) or die ("unable select database!");  $result = mysql_query($query) or die ("error in query: $query. ".mysql_error());  // see if rows returned  if (mysql_num_rows($result) > 0) {     $_session["authenticateduser"] = $useremail;      // relocate logged-in page     header("location: index.php"); }  else    {    $_session["message"] = "could not connect log in $useremail " ;    header("location: login.php");   }     mysql_free_result($result);  mysql_close($connection);   ?>

there several problems approach. first don't use salt @ all, stored not used. second salt should unique each password, in case static salt used, pepper not salt. further use fast hash algorithm, can brute-forced ways fast, instead should switch hash algorithm cost factor bcrypt or pbkdf2.

php has function hash passwords (maybe need compatibility pack):

// hash new password storing in database. // function automatically generates cryptographically safe salt. $hashtostoreindb = password_hash($password, password_bcrypt);  // check if hash of entered login password, matches stored hash. // salt , cost factor extracted $existinghashfromdb. $ispasswordcorrect = password_verify($password, $existinghashfromdb);

because function generates safe salt on own , attaches resulting hash-value, cannot check password sql directly. instead query stored hash (by username), can verify entered password stored one. wrote tutorial tried explain important points more indepth.


Comments

Post a Comment

Popular posts from this blog

C# random value from dictionary and tuple -

-
i have following code, , need random item contains string "region_1" dictionary. public static dictionary<int, tuple<string, int, currencytype>> itemarray = new dictionary<int, tuple<string, int, currencytype>>() { { 0xb3e, new tuple<string, int, currencytype>("region_1", 1500, currencytype.fame) } }; public static int generateitemid(string shopid) { var generateditem = itemarray.elementat(new random().next(0, itemarray.count)).key; } how select this? it's not possible efficiently... first create static random @ class level... prevent non-random behaviour if run query on short period of time... (it's seeded discrete clock) static random rnd = new random(); then: var item = itemarray.values .where(t => t.item1 == shopid) .orderby(_ => rnd.next()) .firstordefault()
Read more

cgi - How do I interpret URLs without extension as files rather than missing directories in nginx? -

-
so i'm trying install zoneminder , have run under nginx, has few compiled files need run using fast-cgi. these files lack extension. if file has extension, there no issue , nginx interprets file , return 404 if can't find it. if has no extension, assume it's directory , return 404 when can't find sort of index page. here have now: # security camera domain. server { listen 888; server_name mydomain.com; root /srv/http/zm; # enable php support. include php.conf; location / { index index.html index.htm index.php; } # enable cgi support. location ~ ^/cgi-bin/(.+)$ { alias /srv/cgi-bin/zm/; fastcgi_pass unix:/run/fcgiwrap.sock; fastcgi_param script_filename $document_root/$1; include fastcgi.conf; } } the idea is, under cgi-bin directory goes through fastcgi pipe. any idea on howi can fix this? upon closer inspection, realized zoneminder has 2 cgi sc...
Read more

.htaccess - htaccess convert request to clean url and add slash at the end of the url -

-
ok , searched more 4 days , more 20 posts here in stach or in websites without kind of success first here htaccess file rewriteengine on rewriterule ^([a-za-z0-9_]+)/?$ index.php?page=$1 [nc] rewriterule ^([a-za-z0-9_]+)\/([a-za-z0-9_]+)\/?$ index.php?page=$1&action=$2 [nc] i tried many codes 1 worked me can call request , works me www.example.com/pagename => www.example.com/index.php?page=pagename here questions , please provide me information "in detail" understand code well 1- how convert request automatically www.example.com/index.php?page=pagename www.example.com/pagename 2- if tried add slash @ end shows me page without images or styling mean www.example.com/pagename => works www.example.com/pagename/ => doesn't work that's :) for first part need 301 rule this: rewritecond %{the_request} /index\.php\?page=([^\s&]+) [nc] rewriterule ^ /%1? [r=301,l] for second part use absolute path in css, js, images files r...
Read more