[mccabec123]

Duckington, on 24 July 2012 - 05:34 AM, said:

So...the password is stored properly when you look at it in the DB, but when you print it out in the PHP script you find it's wrong? Is that the state of play at the moment?

I'm assuming the characters you posted simply aren't rendering correctly in this forum, or does it actually contain all those unknown symbols and question marks?

A few other things you could try, if you haven't already:

- Ensuring the php script sends the header to set the correct charset (Try copy pasting from the DB and printint it out as a string in the script, see if that works. If it does, then we know it's a problem with the actual retrival of info from the DB, as opposed to the characters themselves).

- Set the default character set in your my.cnf file [link]

- Change the collation of your whole table and see if that makes a difference

No, the forum is showing it correctly. That's exactly how it's outputting.

I tried everything that you suggested just there, but with no joy

If you're right about the outputting of the string then it's to do with the DB because the string outputs correctly from the PHP but displays incorrectly from the PDO database retrieval.

This is an absolute nightmare

This post has been edited by mccabec123: 24 July 2012 - 06:05 AM

[Duckington]

Interesting.

Forgetting PDO for a minute (only a minute), does it display properly if you just do a mysql_query() to select it?

If so, then at least we can narrow it down to the PDO functions/scripts themselves and go frmo there.
If not, then we need to look a bit more at your database I think. Could you post a copy of the table for example, so that we can try it out ourselves? Or is it sensitive data?

[CTphpnwb]

And if it's sensitive data, can you make something up and test it? Doing so might point you right to the solution, and if it doesn't we'll have more to go on.

[mccabec123]

No no, it's not sensitive data as it stands, it's still in the early stages of development, this is merely the login I'm doing at the moment, but I did not expect such issues. All the data is test data.

Here's a screenshot of the database in PHPMyAdmin:

[Duckington]

I meant a little more along the lines of, can you esport your table into some SQL that we can run, so we can create the exact table you have. Along with the data you've got in it.

[CTphpnwb]

This works for me:

<?php
$dsn = "mysql:host=localhost;dbname=test";
$pdo_username = "root";
$pdo_password = "root";
$pdo = new PDO($dsn, $pdo_username, $pdo_password);

$username = "SomeUser";
$password = "testing123";

$pass = pbkdf2($password, "butterScotch", 1000, 32);
store_pass($username,$pass,$pdo);

$db_password = retreive_pass($username, &$pdo);

if($pass != $db_password) {
	echo "There was a problem:<br>";
} else {
	echo "It worked!<br>";
}
	echo "Original password: ".$pass."<br>";
	echo "Password retrieved from table: ".$db_password."<br>";


function store_pass($user, $pwd, &$pdo) {
	$query = "REPLACE INTO user (`username`, `password`) VALUES (?, ?)";
	$store = $pdo->prepare($query);
	$store->execute(array($user,$pwd));
}

function retreive_pass($username, &$pdo) {
	$query = "SELECT `password` FROM user WHERE `username`= ? LIMIT 1";
	$read = $pdo->prepare($query);
	$read->execute(array($username));
	foreach($read as $pass) 
		$ret = $pass['password'];
	return $ret;
}

function pbkdf2( $p, $s, $c, $kl, $a = 'sha256' ) {

	$hl = strlen(hash($a, null, true)); # Hash length
	$kb = ceil($kl / $hl);              # Key blocks to compute
	$dk = '';                           # Derived key
 
	# Create key
	for ( $block = 1; $block <= $kb; $block ++ ) {
 
		# Initial hash for this block
		$ib = $b = hash_hmac($a, $s . pack('N', $block), $p, true);
 
		# Perform block iterations
		for ( $i = 1; $i < $c; $i ++ )
 
			# XOR each iterate
			$ib ^= ($b = hash_hmac($a, $b, $p, true));
 
		$dk .= $ib; # Append iterated block
	}
 
	# Return derived key of correct length
	return substr($dk, 0, $kl);
}
?>

Notice how I've kept the HTML to a minimum. Working in one language at a time makes things easier to see. Then there's that function thing helping out too!

[Dormilich]

Question: what data type is the password field? � is the character used for "invalid character" or "cannot display bytecode as character" (once that is unavailable (U+FFFD) ? is a suitable replacement). and if I understand PBKDF2 right, it returns a bitstream, which may not be represented by characters. judging from that the data upload may have already failed.

EDIT: @CT: objects are always passed by reference, hence no need to use &$pdo.

EDIT2: on the most recent system you can use hash_pbkdf2() …

This post has been edited by Dormilich: 24 July 2012 - 10:04 AM

[CTphpnwb]

Are they always? I suppose it's better to rely on the interpreter to make the right choice, but still I wonder if might pass a copy.

[Dormilich]

yepp, as of PHP5, objects are always referenced. cf. http://www.php.net/m....references.php

[CTphpnwb]

Yes, I had read (partially) that before. I guess back then I stopped at

Quote

"objects are passed by references by default". This is not completely true.

and thought, better safe than sorry. I never thought they might make a distinction between a reference and an alias. Heck, on OS X an alias is a file that references another file.

[magius96]

Just a thought, but I don't pull the encrypted password back from the database...instead, I use the sql statement itself to compare an encrypted version of what was provided with whats in the database.

select * from table where passwordfield = encryptedpasswordfromform and username = usernamefromform

if it returns anything you've got a match, if not, then it's access denied city.

[Dormilich]

just that you wouldn’t use SELECT * but rather SELECT COUNT(*).

[mccabec123]

Okay, I've managed to get the encrypted characters to display correctly when I output them, it was to do with an error I had made on my PDO initialisation. But for some reason when I compare the two strings of hashed passwords, it gives an error, even though the two strings it outputs are identical :S This has been the biggest pain in my ass, I can't believe how much bother I'm having with this, it's ridiculous :S I thought I was better than this, not sure what's going on, completely lost faith in myself

[mccabec123]

Okay, I've given up on pbkdf2(), and decided to try crypt() and it's all working perfectly. Just wondering what everyone's opinion on the crypt hashing function in PHP is like? Is it safe enough? Or is it a no go?

[CTphpnwb]

Did you try my code from post #21? With minor changes (user names, passwords, database, table) you should be able to get that working. If it does work on your system then it should be easy to apply the functions to your code.