0

So I have this really weird problem. I have a login script and you type in a username and password. Once the password is posted i sha1 it with the php function sha1() and compare that to the sha1 version in the database. If they match it logs in. That part works fine. Now I have the same functionality for a mobile version, but it uses a different form and a different URL. After you type in the password I do all the exact same steps, but the sha1 hash that is posted is different than the sha1 hash in the database. I know I type them in exactly the same each time, so I don't see why the two values would be different. This is only true for some username / password combination. Am I missing something??

Bill
  • 5,478
  • 17
  • 62
  • 95
  • what you mean by a "mobile version"? –  Mar 06 '11 at 21:45
  • 1
    Check to make sure the strings are _actually_ what you expect before you hash them. A hash function cannot return different results for the same input. – Andrew Marshall Mar 06 '11 at 21:46
  • 1
    Got any code to show? Are you sure that the sha1-function isn't applied twice? etc etc. – PatrikAkerstrand Mar 06 '11 at 21:47
  • Are both mobile and web versions using the same login PHP script? Same field names? – Dimitry Mar 06 '11 at 21:48
  • Watch out for invisible characters, such as trailing returns. Try a trim() on the strings before shaing them – Mark Baker Mar 06 '11 at 21:49
  • By mobile I mean optimized for phones, so a minimal design, different css etc. I added the code I just copied the php script from one part of the code to the mobile section, so it's technically the same code I"m sure I don't sha1 twice because if I use 1 username / password combo it works fine, but if I use another username /password combo the sha1 is diffferent – Bill Mar 06 '11 at 21:52
  • I tried doing trim before i did sha1, and then none of them worked, I took that out, and for some reason it's working now. Not sure why... Thanks. – Bill Mar 06 '11 at 21:57
  • shouldn't need two copies (easier to edit\debug), just one function called by each version –  Mar 06 '11 at 22:10

2 Answers2

4

There is no reason for the same text produce different sha1 values.

I suggest you log the real password values before the sha1 is generated to debug the problem.

I suspect that you may be entering passwords with different case or are padded with spaces or other characters for some reason.

mlemos
  • 1,235
  • 13
  • 21
0

I ve had this problem and i could not trace it. It turns out that if you enclose the input string in sigle quotes yields different results than with double quotes.

Also watch out for different encoding issues

Example

$str = "test=!$E0";
$enc = mb_detect_encoding($str, "UTF-8,ISO-8859-1");
echo strtoupper(sha1(iconv($enc, "UTF-8",$str)));

04CDF156D64CC4B51E1DC7E5A852F9177102EBE7

$str = 'test=!$E0';
$enc = mb_detect_encoding($str, "UTF-8,ISO-8859-1");
echo strtoupper(sha1(iconv($enc, "UTF-8",$str)));

44372F3C82A4AAD84748AE5ECB8F6C7313DA6C65

Very annoying

Nikos Tsagkas
  • 1,287
  • 2
  • 17
  • 31
  • '$E0' in double-quotes will be treated as a variable. `echo "test=!$E0" == 'test=!$E0';` will generate `Notice: Undefined variable: E0` see https://stackoverflow.com/questions/3446216/what-is-the-difference-between-single-quoted-and-double-quoted-strings-in-php Removing `$` from `test=!$E0` and you will get the same hash – MagePal Extensions Apr 19 '20 at 14:22