Page 1 of 1

Salt and sha1 -- passing information in a session

Posted: Sat Jun 03, 2006 10:22 pm
by tecktalkcm0391
I have one page that has this on it:

Code: Select all

<?php
session_start();
$code='1234';

define('HASH_LEN',25); 
$enc_code_salt = substr(sha1(time()),HASH_LEN); 
$enc_code_ready = $enc_code_salt . sha1( $enc_code_salt . $enc_code_ready); 
$enc_code = $enc_code_ready;
$_SESSION['code'] = $enc_code;
?>
And Then I have a page with this on it:

Code: Select all

<?php 
$s_code = $_SESSION['code'];
$scode = $_POST['scode'];

$dec_code_ready = $scode;

define('HASH_LEN',25); 

$dec_code_salt = substr($security_code,HASH_LEN); 
$dec_code = $dec_code_salt . sha1( $dec_code_salt . $dec_code_ready);
$dec_code = md5($dec_code);

if($dec_code != $security_code){
	return "Invaild Security Code";
	session_unregister('code'); 
	exit;
} 

?>
How come on everytime I run this it returns "Invaild Security Code"... no matter what! I know I am entering the right code!

Posted: Sat Jun 03, 2006 10:45 pm
by bdlang
For starters, there is no variable defined as $security_code in the script that I can see, you're probably meaning to use $s_code instead.

I'm assuming you're somehow passing a value to the script with $_POST['scode'], where you're simulating a login. Make certain the value of the $_POST array is coming across as well.

The other big glaring problem I see is that you run md5() on the returning hash. You don't do this in the original script, so regardless of what variable assignments you have, the script logic will never work. You either have to use md5() in the first script, or get rid of it in the second.


A tip to avoid these issues, don't crowd the namespace with a ton of variables. In both scripts you have reassigned variables, in a couple of instances you do it twice. For example, there is no reason to do

Code: Select all

$enc_code_ready = $enc_code_salt . sha1( $enc_code_salt . $enc_code_ready);
$enc_code = $enc_code_ready;
$_SESSION['code'] = $enc_code;
when you can simply do

Code: Select all

$_SESSION['code'] = $enc_code_salt . sha1( $enc_code_salt . $enc_code_ready);
There is something to readability, so sometimes reassigning values to an alternately named variable can help, but I just don't find alot of use for it.

Posted: Sat Jun 03, 2006 11:17 pm
by tecktalkcm0391
ok. thanks