how to login check password with hashed one in mysql using php?

Question

pinkygirl -3 Junior Poster in Training

13 Years Ago

This is my code to hash

class hashing {
  private static $algo='$2a';
  private static $cost='$10';

  public static function unique_salt() {
	return substr(sha1(mt_rand()),0,22);
  }

 function hash($password) {			
	return crypt($password,self::$algo.self::$cost.'$'.self::unique_salt());
 }

 public static function check_password($hash,$password) {
	$full_salt=substr($hash,0,29);
	$new_hash=crypt($password,$full_salt);
	return ($hash==$new_hash);
 }  
}

This is my login page

require("hashing.php");
$password=hashing::hash($_POST['txtPassword']);
$checkPassword=mysql_query("SELECT * from $tbl_name WHERE Password='".$password."'"); 
$resultPassword=mysql_fetch_row($checkPassword);

if(hashing::check_password($resultPassword['Password'],$_POST['txtPassword'])) {
  echo "login success!";
}
else {
 echo "login failed!";
}

When the user inputs correct password, it is failing to login. How do I solve this problem?

mysql php

3 Contributors
4 Replies
285 Views
1 Day Discussion Span
Latest Post 13 Years Ago Latest Post by diafol

cereal 1,524 Nearly a Senior Poster

13 Years Ago

Run this function, is part of your code:

<?php
function unique_salt() {
	return substr(sha1(mt_rand()),0,22);
  }
echo unique_salt() . "<br />";
echo unique_salt() . "<br />";
?>

You will get something like this:

32f2b4c6e1c81629fa6c02
fdbfe19bbbec167eb4c040

This are salt values, and if you refresh you will get more different values. If you store only the password hash on the database then you can't get the right match, you need to store also the salt.

So, for example, if the hash stored is:

$2a$10$ea04e8df85241ceb9157auxKBW3YKOyHa6XDAZkindtKLZ/GiUcdO

in order to work, your script needs the password sent by the form, $algo, $cost variables and the salt generated when the password was registered, so you need to retrieve this last value from the database.

Right now your script is going to generate a new salt value to compare the password, value that's different from the original used for the hash generation. I hope is more clear now, English is not my main language.

Edited 13 Years Ago by cereal because: n/a

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

cereal 1,524 Nearly a Senior Poster Featured Poster · Answer 1 · 2011-09-09T18:45:24+00:00

When you use hashing::hash() you're going to output a new unique_salt() each time, so when the user registers to the website, this value has to be saved to the database, if you don't store it then your script won't be able to get the right match.

pinkygirl -3 Junior Poster in Training · Answer 2 · 2011-09-10T14:31:13+00:00

The value is saved into the database. Registration page works fine. But login has a problem

diafol · Answer 3 · 2011-09-11T00:10:30+00:00

Ever heard of the term - overhashing?? :)