Authentication of user login from sa1 passwords

Question

Authentication of user login from sa1 passwords

I have a very simple user registration / user registration script that stores passwords using sha1 and salt. I have passwords and creating users that work fine and store everything in the database is just fine, but when I try to log in with credentials, it will not work. It seems that I can not find anything when searching for this topic.

Here is my added custom form:

session_start(); include("includes/resume.config.php"); // make sure form fields have a value and strip them function check_input($data, $problem='') { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); if ($problem && strlen($data) == 0) { die($problem); } return $data; } // get form values, escape them and apply the check_input function $name = $link->real_escape_string(check_input($_POST['name'], "Please enter a name!")); $email = $link->real_escape_string(check_input($_POST['email'], "Please enter an email!")); $password = $link->real_escape_string(check_input($_POST['password'], "Please enter a password!")); // generate a random salt for converting passwords into MD5 $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); $saltedPW = $password . $salt; $hashedPW = sha1($saltedPW); mysqli_connect($db_host, $db_user, $db_pass) OR DIE (mysqli_error()); // select the db mysqli_select_db ($link, $db_name) OR DIE ("Unable to select db".mysqli_error($db_name)); // our sql query $sql = "INSERT INTO admins (name, email, password, salt) VALUES ('$name', '$email', '$hashedPW', '$salt');"; //save the updated information to the database mysqli_query($link, $sql) or die("Error in Query: " . mysqli_error($link)); if (!mysqli_error($link)) { header("Location: file_insert.php"); }

And here is my login script: This is what does not work

 function check_input($data, $problem='') { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); if ($problem && strlen($data) == 0) { die($problem); } return $data; } if(isset($_POST['submitLogin'])) { //form submitted? // get form values, escape them and apply the check_input function $name = $link->real_escape_string(check_input($_POST['name'], "Please enter a name!")); $password = $link->real_escape_string(check_input($_POST['password'], "Please enter a password!")); $saltQuery = $link->query('SELECT salt FROM admins WHERE name = "'.$name.'"'); $salt = mysqli_fetch_assoc($saltQuery); $saltedPW = $password . $salt; $hashedPW = sha1($saltedPW); mysqli_connect($db_host, $db_user, $db_pass) OR DIE (mysqli_error()); // select the db mysqli_select_db ($link, $db_name) OR DIE ("Unable to select db".mysqli_error($db_name)); $validate_user = $link->query('SELECT id, name, password FROM admins WHERE name = "'.$name.'" AND password = "'.$hashedPW.'"'); if ($validate_user->num_rows == 1) { $row = $validate_user->fetch_assoc(); $_SESSION['id'] = $row['id']; $_SESSION['loggedin'] = TRUE; Header('Location: file_insert.php'); } else { print "<center><p style='margin-top: 200px; font-weight: bold;'>Invalid Login Information</p>"; print "<a href='admin-login.php'>Click here</a> to return to the login page.</center>"; } }

+4

php passwords hash salt sha1

Ty bailey 24 sept '12 at 23:34

source share

2 answers

You did not say if you get an error message, but from what you post, I think this is a connection problem:

 if(isset($_POST['submitLogin'])) { //form submitted? // Here, you didn't connect to database, but you are expecting to fetch salt! $saltQuery = $link->query('SELECT salt FROM admins WHERE name = "'.$name.'"'); $salt = mysqli_fetch_assoc($saltQuery);

So, you may have to connect to the database first:

 if(isset($_POST['submitLogin'])) { //form submitted? mysqli_connect($db_host, $db_user, $db_pass) OR DIE (mysqli_error()); // select the db mysqli_select_db ($link, $db_name) OR DIE ("Unable to select db".mysqli_error($db_name)); // Here, you didn't connect to database, but you are expecting to fetch salt! $saltQuery = $link->query('SELECT salt FROM admins WHERE name = "'.$name.'"');

Secondly, mysqli_fetch_assoc returns an array with the key name as the field of what you insert into the SELECT query, the final code should look like this:

 if(isset($_POST['submitLogin'])) { //form submitted? mysqli_connect($db_host, $db_user, $db_pass) OR DIE (mysqli_error()); // select the db mysqli_select_db ($link, $db_name) OR DIE ("Unable to select db".mysqli_error($db_name)); // Here, you didn't connect to database, but you are expecting to fetch salt! $saltQuery = $link->query('SELECT salt FROM admins WHERE name = "'.$name.'"'); $salt = mysqli_fetch_assoc($saltQuery); $saltedPW = $password . $salt["salt"]; $hashedPW = sha1($saltedPW);

0

Sife 24 sept '12 at 23:47

source share

drew010 · Accepted Answer · 2012-09-24T23:41:40+0000

Perhaps there will be more, but, of course, one of the reasons why it does not work is because mysqli_fetch_assoc returns an array, and you are using it as a string.

PHP will complain about the string conversion array when you call $password . $salt $password . $salt , as $salt is currently an array. As a result, you get the word Array added to the password, which leads to an invalid hash. If you disabled display_errors and / or error_reporting to hide notifications in php.ini , you will not see this message.

If you change:

 $saltedPW = $password . $salt;

in

 $saltedPW = $password . $salt['salt'];

then it should work.

In addition, you must exit $salt before inserting it into the database, because it may possibly contain null, non-printable, or single / double quotes, as it is generated randomly.

Authentication of user login from sa1 passwords

More articles: