Topic: [SOLVED] Hash Password Help!

[mjdamato]

Simply change this
$match = "select id from $table where username = '".$_POST['username']."'
and password = '".$_POST['password']."';";

To this

$match = "select id from $table where username = '".$_POST['username']."'
and password = '".hashPW($_POST['password'],$_POST['username'])."';";

Again, you REALLY need to be using mysql_real_escape_string() on user submitted values used within a query. I cannot stress this enough. All it would take is one "proplem" input, intentional or accidental, to destroy your database.

[Cetanu]

Really? 
What is this mysql_real_escape_string()?
I'll go research it.

Thanks, I'll post the final codes after I'm done.

[Cetanu]

This is what I've gotten:

The Function

Code: [Select]

<?php
include "config.php"; 


// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

function hashPW($password, $username)
{
    return sha1($password.$username);
}
//Be sure to include the hash function!
$query = "SELECT id, username, password FROM users";
$result = mysql_query($query);
$values = array();
while ($record = mysql_fetch_assoc($result))
{
    $query = "UPDATE users
              SET password ='" . hashPW($record['password'], $record['username']) . "'
              WHERE id = {$record['id']}";
    mysql_query($query);
}
?>
Updated Login Script

Code: [Select]

<?php

include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());


$match = "select id from $table where username = '".$_POST['username']."'
and password = '".hashPW($_POST['password'],$_POST['username'])."';";

$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 

if ($num_rows <= 0) {
echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=log.php>Try again</a>";
exit; 
}
else {
setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "{$_POST['username']}");
header('Location:http://mythscape.freezoka.com/');
die();
}
?>
The Updated Registration Script

Code: [Select]

<?php 
ini_set ("display_errors", "1");
error_reporting(E_ALL);
include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

// check if the username is taken
$check = "select id from $table where username = '".$_POST['username']."';"; 
$qry = mysql_query($check) or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 
if ($num_rows != 0) { 
echo "Sorry, there the username {$_POST['username']}  is already taken.<br/>";
echo "<a href=user_login.php>Try again</a>";
exit;
}
if($_POST['password'] != $_POST['confirmnewpassword']){ 
   echo ("The two passwords must match. <br/>"); 
echo ("<a href=user_login.php>Try Again</a>");
}
else {

$password = hashPW($_POST['password'], $_POST['username']);
// insert the data
$insert = mysql_query("insert into $table values ('NULL', '{$_POST['username']}', '{$password}', '{$_POST['email']}')")
or die("Could not insert data because ".mysql_error());

// print a success message
echo "Your user account has been created!<br>"; 
echo "Now you can <a href=user_login.php>log in</a>"; 
}

?>
I just want to check and make sure it's all good. Thanks in advance to anyone that helps

[mjdamato]

I don't see where you have included the hashing function on the login or registration scripts. That is why I created a function - it will ensure you are slating/hashing the values exactly the same every time. You should put it in an external file and include() it on those pages - never copy and paste a function into multiple pages. You will eventually update one and not the other some day.

[Cetanu]

Oh, I didn't know it needed to go into every page, I'll do that now.

Other than that it looks all good?

[Cetanu]

These are my final codes, well, the ones I came up with that are probably wrong.

function.php

Code: [Select]

function hashPW($password, $username)
{
    return sha1($password.$username);
}
hash.php [for hashing passwords]

Code: [Select]

<?php
include "config.php"; 


// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

include "function.php"; 

//Be sure to include the hash function!
$query = "SELECT id, username, password FROM users";
$result = mysql_query($query);
$values = array();
while ($record = mysql_fetch_assoc($result))
{
    $query = "UPDATE users
              SET password ='" . hashPW($record['password'], $record['username']) . "'
              WHERE id = {$record['id']}";
    mysql_query($query);
}
?>
register.php

Code: [Select]

<?php 
ini_set ("display_errors", "1");
error_reporting(E_ALL);
include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

// check if the username is taken
$check = "select id from $table where username = '".$_POST['username']."';"; 
$qry = mysql_query($check) or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 
if ($num_rows != 0) { 
echo "Sorry, there the username {$_POST['username']}  is already taken.<br/>";
echo "<a href=user_login.php>Try again</a>";
exit;
}
if($_POST['password'] != $_POST['confirmnewpassword']){ 
   echo ("The two passwords must match. <br/>"); 
echo ("<a href=user_login.php>Try Again</a>");
}
else {
include "function.php";
$password = hashPW($_POST['password'], $_POST['username']);
// insert the data
$insert = mysql_query("insert into $table values ('NULL', '{$_POST['username']}', '{$password}', '{$_POST['email']}')")
or die("Could not insert data because ".mysql_error());

// print a success message
echo "Your user account has been created!<br>"; 
echo "Now you can <a href=user_login.php>log in</a>"; 
}

?>
login.php

Code: [Select]

<?php

include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());


$match = "select id from $table where username = '".$_POST['username']."'
and password = '".hashPW($_POST['password'],$_POST['username'])."';";
include "function.php"; 

$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 

if ($num_rows <= 0) {
echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=log.php>Try again</a>";
exit; 
}
else {
setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "{$_POST['username']}");
header('Location:http://mythscape.freezoka.com/');
die();
}
?>

I really need to know if these are correctly formatted and stuff so I can re-open my site. Thanks

[corbin]

setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "{$_POST['username']}");



Oh... Errr....


Never trust cookies.  Having a "loggedin" cookie set to true is a horrible thing security wise.  Cookies can easily be manipulated.  Instead, set a session value or something.


Also, if you ever want to have a "Remember Me" feature, put the username and some token that a user could not know without actually having done it legitly.

[Cetanu]

There's more that is faulty?!
How would I do this?

[mjdamato]

I really need to know if these are correctly formatted and stuff so I can re-open my site. Thanks

Cetanu,

I am more than happy to help provide guidance. But, I am not going to test your code for you. YOU need to test the code against your database to ensure it is working correctly. And, noone can categorically state that your code will work with any certainty. I already stated that I didn't see a problem with what you had. Just follow the steps I posted above. But, as I stated you will want to back up your database first before running the process to update current passwords. Then I would test logging in using an existing account to ensure that update process worked. Then lastly test the process of creating a new account and logging in.

[Cetanu]

Okay, just...I was afraid for me DB. :-/ Didn't think I did it right is all.

But thanks, I'll back it up and test it.

[Cetanu]

So I've tested the code, and it will not work. The problem lies in here:

Code: [Select]

<?php 
$password = $_POST['password'];
$username = $_POST['username'];

function hashPW($password, $username)
{
    return sha1($password.$username);
}
?>
This is the login script, which I'm trying to fix.

Code: [Select]

<?php

include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

include "function.php";
$match = "select id from $table where username = '".$_POST['username']."'
and password = '".hashPW($_POST['password'],$_POST['username'])."';";
 

$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry); 

if ($num_rows <= 0) {
echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=log.php>Try again</a>";
exit; 
}
else {
setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "{$_POST['username']}");
header('Location:http://mythscape.freezoka.com/');
die();
}
?>
It gives me my error message about not having username and password specified exist....

I tried it with  {} and without them in the function script.

GOOD NEWS: The existing passwords were hashed and the registration script works. Just the login script is broken.

[mjdamato]

You need to be more specific. What is the EXACT error message and what line is it giving the error on?

In the first block of code above, why are you defining $password & $username?

I did a test and it outputs exactly what I would expect
$_POST['username'] = 'mjdamato';
$_POST['password'] = 'notmyrealpassword';
$table = 'tableName';

function hashPW($password, $username)
{
    return sha1($password.$username);
}

$match = "select id from $table where username = '".$_POST['username']."'
and password = '".hashPW($_POST['password'],$_POST['username'])."';";

echo $match;

// Output:
// select id
// from tableName
// where username = 'mjdamato'
//   and password = '032aefab39a2f2ee2b90891d62fd19edcd220802';

[Cetanu]

There is no error, the page just goes to login.php and is completely blank. The error I was talking about was from the login.php code:

Code: [Select]

echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=log.php>Try again</a>";

I cannot define $_POST['username'] or password as "mjdamato" or "notmyrealpassword" because I want that to be gotten from my MySQL server. I defined $username and $password because they weren't defined in the script...and they're supposed to be, yes? I tried a lot just to get this to grab the hashed password from the server and compare it with the typed password, but it was to no avail.

[mjdamato]

I cannot define $_POST['username'] or password as "mjdamato" or "notmyrealpassword" because I want that to be gotten from my MySQL server. I defined $username and $password because they weren't defined in the script...and they're supposed to be, yes? I tried a lot just to get this to grab the hashed password from the server and compare it with the typed password, but it was to no avail.

I'm not suggesting you define the POST values, that was only a test. And, post values do not come from the database, they come from a form post. are you even sure of what your code does?

I defined $username and $password because they weren't defined in the script...and they're supposed to be, yes?

No. you pass the values to the function and they are defined within the function.

Echo the value of $match to the page to see if the query is being generated as you expect.

[Cetanu]

Well I sort of have an idea what the code's doing, but this is really a learn-as-you-go experience for me. That's what PHP has been so far, and I think I've learned a fair bit. 

I'll see what happens when I echo $match.
Thanks.

EDIT: It does echo what I want it to!
With this:

Code: [Select]

<?php

include("config.php"); 

// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

include ("function.php");
$match = "select id from $table where username = '".$_POST['username']."'
and password = '".hashPW($_POST['password'],$_POST['username'])."';";

echo $match;
?>
So it would have to be something in here:

Code: [Select]

...
$qry = mysql_query($match)
or die ("Could not match data because ".mysql_error());
$num_rows = mysql_num_rows($qry);

if ($num_rows <= 0) {
echo "Sorry, there is no username, {$_POST['username']}, with the specified password.<br/>";
echo "<a href=user_login.php>Try again</a>";
exit;
}
else {
setcookie("loggedin", "TRUE", time()+(3600 * 24));
setcookie("mysite_username", "{$_POST['username']}");
header('Location:http://mythscape.freezoka.com/');
die();
}
?>
Right?