0

I have been messing around with password encryption in PHP and at first I was using the MD5 function to save the passwords in a database, but I ran into trouble logging in. I then tried the hash function and again I had trouble logging in.

The way I was attempting to do this was to have the password encrypted when the account is made, and then every time someone logs in, the password is encrypted again using the same method and then this checks the database to see if the encrypted passwords match. I can create an account fine and it seems that whenever I create an account with the same password, the hashes are the same so I am assuming that they don't change each time (I have little knowledge on encryption and hashes).

This is my current new user creation snippet:

<?php

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "NewUser")) {
  $insertSQL = sprintf("INSERT INTO users (username, password, name) VALUES (%s, %s, %s)",
                       GetSQLValueString($_POST['username'], "text"),
                       GetSQLValueString(hash("sha512",$_POST['password']), "text"),
                       GetSQLValueString($_POST['name'], "text"));

  mysql_select_db($database_ReallyGoodPieConnection, $ReallyGoodPieConnection);
  $Result1 = mysql_query($insertSQL, $ReallyGoodPieConnection) or die(mysql_error());

?>

And this is my login snippet:

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];
  $password = hash("sha512", $password);
  print $password;
  $MM_fldUserAuthorization = "permissions";
  $MM_redirectLoginSuccess = "index.php";
  $MM_redirectLoginFailed = "login.php";
  $MM_redirecttoReferrer = true;
  mysql_select_db($database_ReallyGoodPieConnection, $ReallyGoodPieConnection);

  $LoginRS__query=sprintf("SELECT username, password FROM users WHERE username=%s AND password=%s",
    GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")

Can anyone help me understand why the actual login is failing. I am using the exact same password for creation and login (obviously) and using the same encryption methods. This is really confusing me.

GoodPie
  • 967
  • 3
  • 23
  • 41
  • 1
    Don't get confused between hashing and encryption, [they are different things](http://stackoverflow.com/questions/4948322/fundamental-difference-between-hashing-and-encryption-algorithms). – naththedeveloper Aug 01 '13 at 07:03
  • The stack overflow question http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords?rq=1 have a lot of good reading on passwords in PHP – dan.p Aug 01 '13 at 07:04
  • @FDL Ok, thanks. like i said my knowledge on this stuff isn't that great – GoodPie Aug 01 '13 at 07:05
  • 1
    It seems your login snippet isn't complete. There is no actual comparision between the submitted password and the stored hash. – dan.p Aug 01 '13 at 07:11
  • Sorry, I will add the rest. I was only demonstrating the hashing methods. – GoodPie Aug 01 '13 at 07:12

3 Answers3

2

"I can create an account fine and it seems that whenever I create an account with the same password, the hashes are the same so I am assuming that they don't change each time"

Of course it has to be like that. It would be a bad thing if the encrypted hash for the same string would be change everytime, wouldn't it? :)

Users wouldn't be able to use their password more than one time then. It's completely okay.

Also consider salting your password. That means: generate a random hash and store it in your database with the user.

When logging in you're not only check against the password hash, but also against the salt.

That'll improve security a lot more.

thpl
  • 5,810
  • 3
  • 29
  • 43
  • Do you know why the actual login is failing though? It is the exact same password entered in the login process and the create account process and I'm using the same encryption methods :S. – GoodPie Aug 01 '13 at 07:03
  • can you provide the hashes of a sample password that is stored in your database and the hash resulting from the input in your input field? Make sure the value of the password input field is not getting manipulated it any way. – thpl Aug 01 '13 at 07:25
2

First, as i commented on your question, Secure hash and salt for PHP passwords have a lot of relevant information.

To extract some kind of "start here and do this":

It is very easy to use PHPass and there is a simple and easy-to-follow tutorial Here

Community
  • 1
  • 1
dan.p
  • 406
  • 2
  • 7
0

You might want to take a look at this. Instead of using sprintf(); try to use:

$insertSQL = "INSERT INTO users (username, password, name) 
VALUES ('".GetSQLValueString($_POST['username'], "text")."',
'".GetSQLValueString(hash("sha512",$_POST['password']),"text")."',
'".GetSQLValueString($_POST['name'], "text")."')";

Now check if you have successfully inserted the values.

I strongly suggest that you use mysqli_* or PDO.

Community
  • 1
  • 1
Mark
  • 8,046
  • 15
  • 48
  • 78