Salt and sha1 -- passing information in a session

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Salt and sha1 -- passing information in a session

Post by tecktalkcm0391 »

I have one page that has this on it:

Code: Select all

<?php
session_start();
$code='1234';

define('HASH_LEN',25); 
$enc_code_salt = substr(sha1(time()),HASH_LEN); 
$enc_code_ready = $enc_code_salt . sha1( $enc_code_salt . $enc_code_ready); 
$enc_code = $enc_code_ready;
$_SESSION['code'] = $enc_code;
?>
And Then I have a page with this on it:

Code: Select all

<?php 
$s_code = $_SESSION['code'];
$scode = $_POST['scode'];

$dec_code_ready = $scode;

define('HASH_LEN',25); 

$dec_code_salt = substr($security_code,HASH_LEN); 
$dec_code = $dec_code_salt . sha1( $dec_code_salt . $dec_code_ready);
$dec_code = md5($dec_code);

if($dec_code != $security_code){
	return "Invaild Security Code";
	session_unregister('code'); 
	exit;
} 

?>
How come on everytime I run this it returns "Invaild Security Code"... no matter what! I know I am entering the right code!
bdlang
Forum Contributor
Posts: 395
Joined: Tue May 16, 2006 8:46 pm
Location: Ventura, CA US

Post by bdlang »

For starters, there is no variable defined as $security_code in the script that I can see, you're probably meaning to use $s_code instead.

I'm assuming you're somehow passing a value to the script with $_POST['scode'], where you're simulating a login. Make certain the value of the $_POST array is coming across as well.

The other big glaring problem I see is that you run md5() on the returning hash. You don't do this in the original script, so regardless of what variable assignments you have, the script logic will never work. You either have to use md5() in the first script, or get rid of it in the second.


A tip to avoid these issues, don't crowd the namespace with a ton of variables. In both scripts you have reassigned variables, in a couple of instances you do it twice. For example, there is no reason to do

Code: Select all

$enc_code_ready = $enc_code_salt . sha1( $enc_code_salt . $enc_code_ready);
$enc_code = $enc_code_ready;
$_SESSION['code'] = $enc_code;
when you can simply do

Code: Select all

$_SESSION['code'] = $enc_code_salt . sha1( $enc_code_salt . $enc_code_ready);
There is something to readability, so sometimes reassigning values to an alternately named variable can help, but I just don't find alot of use for it.
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

ok. thanks
Post Reply