All geek questions in one place

Why is hashing different after reset?

I have created a neat system for cellular and hash users of passwords, I will send them by email to call reset if they forget them.

I can hash $_POSTon the fly and salt it with the unique salt of users stored in their string, and match it with the stored hashed password and sign them. When they reset their password and try to login, the $ _POST entered does not match the saved pw. This is the same process.

Any idea why this could be?

Here is the relevant part of the script:

$query =  "SELECT `encrypted_password`,`salt` FROM `Users` WHERE `Email` = '" . stripslashes(mysql_real_escape_string($_POST['email'])) . "'";
    $request = mysql_query($query,$connection) or die(mysql_error());
    $result = mysql_fetch_array($request);


    $salty_password = sha1($result['salt'] . stripslashes(mysql_real_escape_string($_POST['password'])));

    // SEE HOW THEY COMPARE
    echo "Users real salted pass: " . $result['encrypted_password'] . " / Salty Password to check: " . $salty_password . "<br />";

    $query2 = "SELECT * FROM `Users` WHERE `Email` = '". stripslashes(mysql_real_escape_string($_POST['email'])."' AND `encrypted_password` = '$salty_password'";
    $request2 = mysql_query($query2,$connection) or die(mysql_error());
    $result = mysql_fetch_array($request2);

- edit ---

can this help find out how password reset?

$query = "SELECT * FROM `Password_Reset` ORDER BY `id` DESC LIMIT 1";
$request = mysql_query($query,$connection) or die(mysql_error());
$result = mysql_fetch_array($request);

$token = $result['token'];

$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
$rand = str_shuffle($alpha);
$salt = substr($rand,0,40);
$hashed_password = sha1($salt . stripslashes(mysql_real_escape_string($_POST['Password'])));
$user_email = $result['email'];

    if(isset($_POST['sub_settings'])){


        if(empty($_POST['Password'])) {
            $valid = false;
            $error_msgs[] = 'Whoops! You must enter a password.';
        }

        if($_POST['Password'] != $_POST['passwordConfirm'] || empty($_POST['Password'])) {
            $valid = false;
            $error_msgs[] = "Your password entries didn't match...was there a typo?";
        }

        if($valid) {
            $query = "UPDATE `Users` SET `encrypted_password` = '$hashed_password' WHERE `Email` = '$user_email'";

            mysql_query($query,$connection);
+3
source share
1 answer

, , reset, . .

, sha1. , stripslashes mysql_real_escape_string , - PHP , .

+2

Source: https://habr.com/ru/post/1790773/

More articles:


All Articles