How to add sha1 hash password to LOGIN page

[Kayz]

Hi guys I have a script which i've been playing around with thanks to Spiderwell: http://www.phpfreaks.com/forums/index.php?action=profile;u=35078

 

I have sort of merged it with another 'member managment' script which is working great.

 

Now i can't seem to correctly create a login page to pass the hashed password using (sha1).

 

Now all i want to do is verify the username and the (hashed) password according to the database and allow the user in. The script i am using to check login works fine without a hashed password in the database. But ideally i'd like to use a hashed form of password.

 

Can somebody show me what change i need to make in this script below in order to pass a sha1 hashed password? I'm guessing it's a really small change from the examples i've seen online, but i just cant seem to get mine to work. :|

 

Your help would be much appreciated.

 

Login Page PHP:

 

<form name="login" method="post" action="check_login.php3">
<p><strong>Secured Area User Log-in</strong></p>
<p>Username: <input name="bioname" type="text" id="bioname"></p>
<p>Password: <input name="biopass" type="password" id="biopass"></p>
<p> </p>
<p><input type="submit" name="Submit" value="Login"></p>
</form>

 

Check Login Processor (which is the file i that needs the sha1 added somewhere i think)

 

<?php
require_once('config.php3');

// Connect to the server and select the database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db")or die("Unable to select database");


//
$loginusername = false;
$loginpassword = false;


$err = false; // default error message is empty

// The username and password sent from login.php
//the isset() basically means if its there get it, otherwise dont bother

if (isset($_POST['bioname'])) $loginusername=$_POST['bioname'];
if (isset($_POST['biopass']))$loginpassword=$_POST['biopass'];

// if either isnt filled in, tell the user, a very basic bit of validation

if (!$loginusername || !$loginpassword) $err = "please complete the form";
if (!$err) //if no error continue

{
//The following bit of coding protects from MySQL injection attacks

$loginusername = stripslashes($loginusername);
$loginpassword = stripslashes($loginpassword);
$loginusername = mysql_real_escape_string($loginusername);
$loginpassword = mysql_real_escape_string($loginpassword);

//you could add other things like check for text only blah blah

$sql="SELECT * FROM $tbl WHERE bioname='$loginusername' and biopass='$loginpassword'";

$result=mysql_query($sql);
// Count how many results were pulled from the table
$count=mysql_num_rows($result);

// If the result equals 1, continue
if($count==1)
{
	session_start();
	$_SESSION['user'] = $loginusername; // store session data
	//please see I have used a session variable that is generic not specific, otherwise you will have to make this page different for every user
	//that would be a pain in the ass, you don't need to have user1 or user2, its the value stored that relevant, not what the variable name is
	header("Location: {$loginusername}/index.php3");

}
else 
{
$err = "Wrong Username or Password";
}
}// end login if statement

if ($err) // show error message if there is one
{
echo $err;
echo "<br>Please go back in your browser and try again";
}
?>

 

 

The secure page:

 

<?php
session_start(); 

$mypath = $_SERVER["REQUEST_URI"];
//echo $mypath; // for debugging
//now we have the path lets see if the username is in that path, i.e. test2 is inside /something/test2/index.php 
//use the built in strpos() function, which returns position of the last occurance of the string you are looking for inside another string.
//http://php.net/manual/en/function.strrpos.php

if(strpos($mypath,"/".$_SESSION['user']."/"))//on testing it failed initially as username test is found in path /test2/ so i added the slashes to stop that. so /test/ doesnt get found in /test2/
{
echo "congratulations you are the right person in the right place";
}
else
{
session_destroy(); //kill the session, naughty person trying to come here
header("Location: ../login.php3");
die();// stop page executing any further
}

?>

<html>
<body>


</body>
</html>

 

 

Thanks and i look forward to your replies.

[xyph]

Sorry to dump on everything you've done so far, but you probably want to implement the article in my signature for securing passwords. Its much more secure than simply using a hash function to obfuscate passwords.

[Kayz]

Sorry to dump on everything you've done so far, but you probably want to implement the article in my signature for securing passwords. Its much more secure than simply using a hash function to obfuscate passwords.

 

Thanks, i have had a quick read and it's pretty much something i am already aware of. The user managment script i am using already has sha1 implemented with salt i believe. Ideally i would have liked to used sha512 with salt and blowfish. But since it's still early stages i am trying to work with what i have before i embark on spending more time understanding hashing and then ultimately implementing a better hash.

[xyph]

It's the same basic principals.

 

You don't really need to 'understand' hashing beyond it takes an input and creates an irreversible 'fingerprint' of it. Beyond that, your different flavors only vary in speed and output/size of output. In this case, you want a very slow algorithm. In the event that your hashes become available, the slower the method, the longer it will take to brute. Understanding much beyond that becomes more mathematics than programming.

 

That's all the article really covers, as well as providing a class with a nice, slow hash and the code to basically implement it. Pretty much, SHA/MD/etc weren't designed for 1-way password hashing, so why use them for it?

 

The majority of the article is implementation anyways, which is exactly what you're doing.