Topic: [SOLVED] Hash Password Help!

[Cetanu]

I already scripted a login/registration script, but I didn't know about password hashing. Now I'd like to know what I need to do to make a script that hashes existing and future passwords... 

[WolfRage]

http://www.phpfreaks.com/forums/index.php/topic,254277.0.html
Let me know if you need any more infor than this. But if you read it you will be more knowledgable then you had ever wished to be about hashing. Includes plenty of hash examples.

[Cetanu]

Amazing. I'll look through it and get back.

[SetToLoki]

I already scripted a login/registration script, but I didn't know about password hashing. Now I'd like to know what I need to do to make a script that hashes existing and future passwords... 

I would use the sha1 function http://uk3.php.net/sha1

[Cetanu]

Code: [Select]

UPDATE users SET password = md5(password);
I was given that code, and told that it would encrypt existing passwords. I was wondering if that is true, it's an SQL statement so it would just update my table, right?


Now how about encrypting passwords in a login script/ registration script? I looked through that link to the tutorial, but there is so much info for me to decipher. Any help? 

[WolfRage]

I don't know about the SQL statement, but seems to be correct so long as they support that function. You can do the same thing with PHP prior to inserting it into the database. Just remember Hashing is different than encrypting. Hash is irreversible. Encryption can be reversed, so make sure you have the right one for your task.

[Cetanu]

Okay

Now how would I include that in a registration script so that passwords are automatically hashed or encrypted when they are stored to the database?

I can't add that into config.php (where the script connects to the database), can I? Won't that change all the passwords over?

[premiso]

That is hashing, not encrypting. I would avoid using the MySQL MD5 statement, as you are a bit more limited, with PHP you can salt the MD5 hash a bit better to make it more secure. Either way you go, do the same through out the whole script. If a user logins and you are verifying the login, use the MySQL MD5 or PHP MD5, do not mix and match as it will generate difference results.

SHA1 is a bit stronger, but yea. I would avoid using the MySQL MD5 function, just because I see it as being a bit more limited in how you control it.

Now how about encrypting passwords in a login script/ registration script? I looked through that link to the tutorial, but there is so much info for me to decipher. Any help? 

Please be a bit more descriptive of what you want to know. When a user signs up you hash the password and store that in a database, when a user logins you hash the password they gave you for the user and check it against your database to verify they match. Pretty simple process.

[Cetanu]

Okay, so I should look into using sha1()? I saw it, but wasn't sure...MD5 looked simpler.

This is want I need to know:

a) How to hash existing passwords in my database (is the SQL statement above correct ^^^? )

b) What kind of code I need to insert into my login/registration scripts to hash a password. So, if someone registers, what do I need to do to have the password they enter hashed? Same with login so that they will match.


Thanks

[corbin]

a.  Yes, that query will work.  Make sure you only run it once though or you will hash everything twice.

b.  md5()

[Cetanu]

Thanks.

[Cetanu]

Okay, I need to know if it's supposed to look something like this...

REGISTRATION SCRIPT

Code: [Select]

<?php 
ini_set ("display_errors", "1");
error_reporting(E_ALL);
include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

// check if the username is taken
$check = "select id from $table where username = '".$_POST['username']."';"; 
$qry = mysql_query($check) or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 
if ($num_rows != 0) { 
echo "Sorry, there the username {$_POST['username']}  is already taken.<br/>";
echo "<a href=user_login.php>Try again</a>";
exit;
}
if($_POST['password'] != $_POST['confirmnewpassword']){ 
   echo ("The two passwords must match. <br/>"); 
echo ("<a href=user_login.php>Try Again</a>");
}
else {

// insert the data
$insert = mysql_query("insert into $table values ('NULL', '".$_POST['username']."', '".$_POST['password']."', '".$_POST['email']."')")
or die("Could not insert data because ".mysql_error());

// print a success message
echo "Your user account has been created!<br>"; 
echo "Now you can <a href=user_login.php>log in</a>"; 
}

?>
 
THE HASH PART

Code: [Select]

<?php 
 
$password = $_POST['password'];

$hashed = md5($password); 

if ($hashed == $_POST['password'] { 
exit; 
}
?>

I think it's way off, but I've been staring down md5() and hashing manuals for hours and my brain hurts.

[mjdamato]

OK, let's break down what you need into actionable steps. As premiso stated I would suggest using a salted hash so if someone was able to get your hashed values they can't use a lookup table to determine the passwords. A salt is just some manner of modifying the value in a consistent manner before hashing. By creating a value that is not 'common' it makes it significantly less likely that someone would have the value in a lookup table. You can salt a value by appending a value (such as the username), reversing the string, or anything that you can consistently replicate.

So, here are the steps I would take:

1) Create a function to generate a salted hashed password.
2) Create a simple PHP page to run that function on all the current passwords (see caution below)
3) Modify the user creation script to hash the password (using the above function) before doing the SQL Insert
4) Modify the login script to hash to provided password (using the above function) before comparing it against the value in the database.

Example hashing function: appends the username to the passoword before hashing to prevent the use of lookup tables if someone got a hold of the value. You could also do something such as reverse the characters of the string or anything that you can consistently reproduce but will result in a value that would not be 'common'.
function hashPW($password, $username)
{
    return sha1($password.$username);
}

Sample function to update current records (note this may take a while if you have a LOT of records)
//Be sure to include the hash function!
$query = "SELECT id, username, password FROM users";
$result = mysql_query($query);
$values = array();
while ($record = mysql_fetch_assoc($result))
{
    $query = "UPDATE users
              SET password ='" . hashPW($record['password'], $record['username']) . "'
              WHERE id = {$record['id']}";
    mysql_query($query);
}
You should test this to ensure it works before running. Plus, you might want to backup your database first. It would be bad news if the script fails and you could not return the values to their original values. You could also insert the hashed value into a temporary column.

Update the login script to hash entered password before comparing against the db value.
--No code provided

Update the Registration script to hash the password
-Change this
// insert the data
$insert = mysql_query("insert into $table values ('NULL', '".$_POST['username']."', '".$_POST['password']."', '".$_POST['email']."')")
or die("Could not insert data because ".mysql_error());

-To this
$password = hashPW($_POST['password'], $_POST['username']);
// insert the data
$insert = mysql_query("insert into $table values ('NULL', '{$_POST['username']}', '{$password}', '{$_POST['email']}')")
or die("Could not insert data because ".mysql_error());

Lastly, you do not need to worry about protecting the password against sql injection since you are hashing the value - but you definitly want to use mysql_real_escape_string() for the username and email.

[Cetanu]

You, my friend, are God.

[Cetanu]

PS Here's the login script:

Code: [Select]

<?php

include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

$match = "select id from $table where username = '".$_POST['username']."'
and password = '".$_POST['password']."';"; 

$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 

if ($num_rows <= 0) {
echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=log.php>Try again</a>";
exit; 
}
else {
setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "{$_POST['username']}");
header('Location:http://mythscape.freezoka.com/');
die();
}
?>
I don't have a great enough understanding of PHP to be able to modify this.

[mjdamato]

Simply change this
$match = "select id from $table where username = '".$_POST['username']."'
and password = '".$_POST['password']."';";

To this

$match = "select id from $table where username = '".$_POST['username']."'
and password = '".hashPW($_POST['password'],$_POST['username'])."';";

Again, you REALLY need to be using mysql_real_escape_string() on user submitted values used within a query. I cannot stress this enough. All it would take is one "proplem" input, intentional or accidental, to destroy your database.

[Cetanu]

Really? 
What is this mysql_real_escape_string()?
I'll go research it.

Thanks, I'll post the final codes after I'm done.

[Cetanu]

This is what I've gotten:

The Function

Code: [Select]

<?php
include "config.php"; 


// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

function hashPW($password, $username)
{
    return sha1($password.$username);
}
//Be sure to include the hash function!
$query = "SELECT id, username, password FROM users";
$result = mysql_query($query);
$values = array();
while ($record = mysql_fetch_assoc($result))
{
    $query = "UPDATE users
              SET password ='" . hashPW($record['password'], $record['username']) . "'
              WHERE id = {$record['id']}";
    mysql_query($query);
}
?>
Updated Login Script

Code: [Select]

<?php

include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());


$match = "select id from $table where username = '".$_POST['username']."'
and password = '".hashPW($_POST['password'],$_POST['username'])."';";

$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 

if ($num_rows <= 0) {
echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=log.php>Try again</a>";
exit; 
}
else {
setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "{$_POST['username']}");
header('Location:http://mythscape.freezoka.com/');
die();
}
?>
The Updated Registration Script

Code: [Select]

<?php 
ini_set ("display_errors", "1");
error_reporting(E_ALL);
include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

// check if the username is taken
$check = "select id from $table where username = '".$_POST['username']."';"; 
$qry = mysql_query($check) or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 
if ($num_rows != 0) { 
echo "Sorry, there the username {$_POST['username']}  is already taken.<br/>";
echo "<a href=user_login.php>Try again</a>";
exit;
}
if($_POST['password'] != $_POST['confirmnewpassword']){ 
   echo ("The two passwords must match. <br/>"); 
echo ("<a href=user_login.php>Try Again</a>");
}
else {

$password = hashPW($_POST['password'], $_POST['username']);
// insert the data
$insert = mysql_query("insert into $table values ('NULL', '{$_POST['username']}', '{$password}', '{$_POST['email']}')")
or die("Could not insert data because ".mysql_error());

// print a success message
echo "Your user account has been created!<br>"; 
echo "Now you can <a href=user_login.php>log in</a>"; 
}

?>
I just want to check and make sure it's all good. Thanks in advance to anyone that helps

[mjdamato]

I don't see where you have included the hashing function on the login or registration scripts. That is why I created a function - it will ensure you are slating/hashing the values exactly the same every time. You should put it in an external file and include() it on those pages - never copy and paste a function into multiple pages. You will eventually update one and not the other some day.

[Cetanu]

Oh, I didn't know it needed to go into every page, I'll do that now.

Other than that it looks all good?

[Cetanu]

These are my final codes, well, the ones I came up with that are probably wrong.

function.php

Code: [Select]

function hashPW($password, $username)
{
    return sha1($password.$username);
}
hash.php [for hashing passwords]

Code: [Select]

<?php
include "config.php"; 


// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

include "function.php"; 

//Be sure to include the hash function!
$query = "SELECT id, username, password FROM users";
$result = mysql_query($query);
$values = array();
while ($record = mysql_fetch_assoc($result))
{
    $query = "UPDATE users
              SET password ='" . hashPW($record['password'], $record['username']) . "'
              WHERE id = {$record['id']}";
    mysql_query($query);
}
?>
register.php

Code: [Select]

<?php 
ini_set ("display_errors", "1");
error_reporting(E_ALL);
include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

// check if the username is taken
$check = "select id from $table where username = '".$_POST['username']."';"; 
$qry = mysql_query($check) or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 
if ($num_rows != 0) { 
echo "Sorry, there the username {$_POST['username']}  is already taken.<br/>";
echo "<a href=user_login.php>Try again</a>";
exit;
}
if($_POST['password'] != $_POST['confirmnewpassword']){ 
   echo ("The two passwords must match. <br/>"); 
echo ("<a href=user_login.php>Try Again</a>");
}
else {
include "function.php";
$password = hashPW($_POST['password'], $_POST['username']);
// insert the data
$insert = mysql_query("insert into $table values ('NULL', '{$_POST['username']}', '{$password}', '{$_POST['email']}')")
or die("Could not insert data because ".mysql_error());

// print a success message
echo "Your user account has been created!<br>"; 
echo "Now you can <a href=user_login.php>log in</a>"; 
}

?>
login.php

Code: [Select]

<?php

include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());


$match = "select id from $table where username = '".$_POST['username']."'
and password = '".hashPW($_POST['password'],$_POST['username'])."';";
include "function.php"; 

$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 

if ($num_rows <= 0) {
echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=log.php>Try again</a>";
exit; 
}
else {
setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "{$_POST['username']}");
header('Location:http://mythscape.freezoka.com/');
die();
}
?>

I really need to know if these are correctly formatted and stuff so I can re-open my site. Thanks

[corbin]

setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "{$_POST['username']}");



Oh... Errr....


Never trust cookies.  Having a "loggedin" cookie set to true is a horrible thing security wise.  Cookies can easily be manipulated.  Instead, set a session value or something.


Also, if you ever want to have a "Remember Me" feature, put the username and some token that a user could not know without actually having done it legitly.

[Cetanu]

There's more that is faulty?!
How would I do this?

[mjdamato]

I really need to know if these are correctly formatted and stuff so I can re-open my site. Thanks

Cetanu,

I am more than happy to help provide guidance. But, I am not going to test your code for you. YOU need to test the code against your database to ensure it is working correctly. And, noone can categorically state that your code will work with any certainty. I already stated that I didn't see a problem with what you had. Just follow the steps I posted above. But, as I stated you will want to back up your database first before running the process to update current passwords. Then I would test logging in using an existing account to ensure that update process worked. Then lastly test the process of creating a new account and logging in.

[Cetanu]

Okay, just...I was afraid for me DB. :-/ Didn't think I did it right is all.

But thanks, I'll back it up and test it.

[Cetanu]

So I've tested the code, and it will not work. The problem lies in here:

Code: [Select]

<?php 
$password = $_POST['password'];
$username = $_POST['username'];

function hashPW($password, $username)
{
    return sha1($password.$username);
}
?>
This is the login script, which I'm trying to fix.

Code: [Select]

<?php

include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

include "function.php";
$match = "select id from $table where username = '".$_POST['username']."'
and password = '".hashPW($_POST['password'],$_POST['username'])."';";
 

$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 

if ($num_rows <= 0) {
echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=log.php>Try again</a>";
exit; 
}
else {
setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "{$_POST['username']}");
header('Location:http://mythscape.freezoka.com/');
die();
}
?>
It gives me my error message about not having username and password specified exist....

I tried it with  {} and without them in the function script.

GOOD NEWS: The existing passwords were hashed and the registration script works. Just the login script is broken.

[mjdamato]

You need to be more specific. What is the EXACT error message and what line is it giving the error on?

In the first block of code above, why are you defining $password & $username?

I did a test and it outputs exactly what I would expect
$_POST['username'] = 'mjdamato';
$_POST['password'] = 'notmyrealpassword';
$table = 'tableName';

function hashPW($password, $username)
{
    return sha1($password.$username);
}

$match = "select id from $table where username = '".$_POST['username']."'
and password = '".hashPW($_POST['password'],$_POST['username'])."';";

echo $match;

// Output:
// select id
// from tableName
// where username = 'mjdamato'
//   and password = '032aefab39a2f2ee2b90891d62fd19edcd220802';

[Cetanu]

There is no error, the page just goes to login.php and is completely blank. The error I was talking about was from the login.php code:

Code: [Select]

echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=log.php>Try again</a>";

I cannot define $_POST['username'] or password as "mjdamato" or "notmyrealpassword" because I want that to be gotten from my MySQL server. I defined $username and $password because they weren't defined in the script...and they're supposed to be, yes? I tried a lot just to get this to grab the hashed password from the server and compare it with the typed password, but it was to no avail.

[mjdamato]

I cannot define $_POST['username'] or password as "mjdamato" or "notmyrealpassword" because I want that to be gotten from my MySQL server. I defined $username and $password because they weren't defined in the script...and they're supposed to be, yes? I tried a lot just to get this to grab the hashed password from the server and compare it with the typed password, but it was to no avail.

I'm not suggesting you define the POST values, that was only a test. And, post values do not come from the database, they come from a form post. are you even sure of what your code does?

I defined $username and $password because they weren't defined in the script...and they're supposed to be, yes?

No. you pass the values to the function and they are defined within the function.

Echo the value of $match to the page to see if the query is being generated as you expect.

[Cetanu]

Well I sort of have an idea what the code's doing, but this is really a learn-as-you-go experience for me. That's what PHP has been so far, and I think I've learned a fair bit. 

I'll see what happens when I echo $match.
Thanks.

EDIT: It does echo what I want it to!
With this:

Code: [Select]

<?php

include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

include ("function.php");
$match = "select id from $table where username = '".$_POST['username']."'
and password = '".hashPW($_POST['password'],$_POST['username'])."';";

echo $match;
?>
So it would have to be something in here:

Code: [Select]

...
$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry);

if ($num_rows <= 0) {
echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=user_login.php>Try again</a>";
exit;
}
else {
setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "{$_POST['username']}");
header('Location:http://mythscape.freezoka.com/');
die();
}
?>
Right?

[mjdamato]

Use this code and run a test. Then post the text displayed

Code: [Select]

<?php

include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

include ("function.php");
//$match = "select id from $table where username = '".$_POST['username']."'
//and password = '".hashPW($_POST['password'],$_POST['username'])."';";

//Test Query
$match = "select password from $table where username = '".$_POST['username']."'";

$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());

//----BEGIN TEST CODE
$result = mysql_fetch_assoc($qry);
echo "QUERY: {$match}<br />
POSTED VALUES:<br />
 - Username: {$_POST['username']}<br />
 - Password: {$_POST['password']}<br />
 - Hashed Password: " . hashPW($_POST['password'], $_POST['username']) . "<br />";
echo "Database Password: {$_result['password']}";
exit();
//-----END TEST CODE

$num_rows = mysql_num_rows($qry); 

if ($num_rows <= 0) {
echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=user_login.php>Try again</a>";
exit; 
}
else {
setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "{$_POST['username']}");
header('Location:http://mythscape.freezoka.com/');
die();
}

?>

[Cetanu]

Okay:

QUERY: select password from users where username = 'Admin'
POSTED VALUES:
- Username: Admin
- Password: ------
- Hashed Password: 89cda54482caa109b5544b204b0ad06a7d57df4e
Database Password:

[Cetanu]

Okay, I found that a variable was improperly defined and then retried it so this is the final after my change:

QUERY: select password from users where username = 'Admin'
POSTED VALUES:
- Username: Admin
- Password: ------ [<< I changed it to that, it showed my password]
- Hashed Password: 89cda54482caa1e9b5544b204b0ad06a7d57df4e
Database Password: 89cda54482caa1e9b5544b204b0ad06a

[mjdamato]

Check the definition for the password field in the database. I'm guessing you set the length of that field to 32 characters - so the value is getting truncated (i.e. the last 8 characters are getting cut off)!

You will need to:

1. Restore your backed up database
2. Increase the length of the field in the database to at least 40 characters
3. Rerun the script to hash the current passwords

Is "should" all work then. Now aren't you glad you made a backup of the database?!
 

[Cetanu]

Wait, the database field is set to be too short to be hashed? Okay, I can change it. YES I am happy that I backed it up. I'll go do that, thanks

I'll pro'ly have one or two more questions.

[Cetanu]

Okay. Thanks a lot to everyone who helped me accomplish this. It's fixed.