4 Replies - 727 Views - Last Post: 27 February 2012 - 10:45 AM Rate Topic: -----

#1 Mycah  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 11
  • Joined: 07-February 12

Encrypting...

Posted 26 February 2012 - 11:48 PM

Hello

I have a question that I assume will have a relatively easy answer, but cannot find the answer to on my own.

I'm making a login script. This is the validating code:
<?php 
	session_start();
	// Connecting to the database
	include 'mysql.php'; 
	mysql_connect("$host", "$username", "$password")or die("There was an error when attempting to establish a connection with the database."); 
	mysql_select_db("$database")or die("There was an error selecting the news system database.");
	
	// Sanitize input to prevent injections
	$username = stripslashes($_POST['username']);
	$password = stripslashes($_POST['password']);
	$username = mysql_real_escape_string($username);
	$password = mysql_real_escape_string($password);
	// Encrypt the password so real input isn't stored in the cookie
	$password = sha1($password);
	
	// Perform the SQL queries
	$sql="SELECT * FROM $login_table WHERE username='$username' and password='$password'";
	$result=mysql_query($sql);
	// Count how many results were found
	$count=mysql_num_rows($result);
	
	// If the count was 1, create session
	if ($count == 1) {
			$_SESSION["valid_user"] = $_POST["username"];
			$_SESSION["valid_time"] = time();
			$_SESSION["valid_pw"] = $password;
			Header("Location: admin.php");
		} else {
			die("Invalid login.");
			}
?>


When the password is encrypted with sha1, it cannot find it in the datebase. When it is plain text, it does. The password IS encrypted in the database using sha1('password').

Why can it not find it??

Is This A Good Question/Topic? 0
  • +

Replies To: Encrypting...

#2 e_i_pi  Icon User is offline

  • = -1
  • member icon

Reputation: 801
  • View blog
  • Posts: 1,700
  • Joined: 30-January 09

Re: Encrypting...

Posted 27 February 2012 - 01:00 AM

At a glance, I'd say that you should probably encrypt the password as sha1() before you use mysql_real_escape_string() on it, otherwise escape characters will be encrypted also, leading to a potential mismatch on special characters.

You might want to check the data type of the password field in the database, as it may not be saving the sha1 characters, but I think my first suggestion may get you somewhere.
Was This Post Helpful? 0
  • +
  • -

#3 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6112
  • View blog
  • Posts: 23,672
  • Joined: 23-August 08

Re: Encrypting...

Posted 27 February 2012 - 04:26 AM

This is from one of those not-so-great tutorials out there on the Internet; we see this all the time.

1. What you're doing is not encrypting, but hashing. Encryption is a two-way process; hashing is one-way.
2. You do not need to use mysql_real_escape_string on the result of a hashing operation, as it's going to contain a hex string which will not need any escaping as a result of said operation.
3. You should be salting your hash before saving in the database to prevent rainbow attacks.
4. This:

$sql="SELECT * FROM $login_table WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);


is overkill and lacks error trapping. If all you want is a count of rows all you need to do is:

$sql="SELECT COUNT(*) FROM $login_table WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
if (!$result)
{
    die("Query $sql failed: " . mysql_error());
}
$count=mysql_result($result, 0);


If the plaintext password is matching your database's password field, I'd say it's NOT saving in the DB as SHA1. Show us the contents of a password field, as well as the datatype of said field.

EDIT:
// Encrypt the password so real input isn't stored in the cookie


Do NOT store any sort of password data in a cookie, EVEN hashed!
Was This Post Helpful? 2
  • +
  • -

#4 E_Geek  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 45
  • View blog
  • Posts: 236
  • Joined: 20-February 11

Re: Encrypting...

Posted 27 February 2012 - 04:29 AM

I know this doesn't help your immediate problem, but I'm attempting to alleviate a larger issue with your system.

The fact that encryption can be reversed is exactly why it should never be used to store passwords, as their is never a reason for you to access a users plan text password. Instead you should Hash the users password, and each time they login, hash the password given and compare the values.

For extra security you should also Salt your passwords before hashing them, or salt the hash, or some other secretly entwined web or additions.

For methods on how to do this, I have a tutorial for creating a user authentication class that can be found Here.

** This class could do with a bit of optimising, which I will do eventually, I gave very little thought to the example database design, and their is no removal of logged in users based on a time frame, but it still works and is effective. **
Was This Post Helpful? 0
  • +
  • -

#5 Mycah  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 11
  • Joined: 07-February 12

Re: Encrypting...

Posted 27 February 2012 - 10:45 AM

Thanks for the comments.

JackOfAllTrades, would I include an else statement on that to start the session??

e_i_pi, this makes sense, I've taken that out and changed it to simply:
	$password = sha1($_POST['password']);
c

E_Geek, thank you for the link to the tutorial. I've scanned it and will try implementing your technique later today when I have some time to concentrate on it.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1