Page 1 of 1

What am I doing wrong here?

Posted: Thu Dec 13, 2007 3:47 pm
by newbie2php
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Code: Select all

$query = "SELECT userid FROM usertable WHERE usersname = '$username' AND password= sha1('$passwrd')";
NOTE: the $passwrd varible is fine - echo'd it out and it is getting there okay.

The sha1 is causing the issue as I have tried entering a user into the table with a plain password without sha1 applied, and then took the sha1() off the query so it was just .... password = '$password' and it worked fine. So I am sure its an issue with the SHA1() between the database and the script....

I have entered a user into the table, and given it a passed with sha1 applied, but when I run the above query it is not picking it up

Am I doing something which is obviously wrong?


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Thu Dec 13, 2007 3:52 pm
by John Cartwright
Are you sure the password is being stored as the sha1 hash? Can you post an example row of data?

By the way, sha1 isn't very secure nowadays, you should atleast be using md5(), or preferably Sha256 or above


I noticed in your query you are using $passwrd, but when your explaining things your using $password. Try adding error_reporting(E_ALL); to the top of your script to make sure you aren't using any undefined variables.

Posted: Thu Dec 13, 2007 4:03 pm
by Mordred
md5 < sha1 < sha256 (mysql doesn't have SHA256, but you can do the hashing in PHP -- feyd's signature has a link to a PHP4 implementation of SHA256, PHP5 has it native)

I otherwise agree with Jcart, nothing obviously wrong with it, check the values. Also, you must mysql_real_escape_string both variables before running the query.

Posted: Thu Dec 13, 2007 4:26 pm
by newbie2php
Thanks chaps,

JCart - yes, varibles are correct, and contains the string that I want. I echoed it out, and it is in the varible, plus I have tried the script without the use of sh1() on both the script, and database, and it works fine with loggin on. I also added the error reporting liek you said and it comes back fine.

Thanks Mordred - Just added that function now.

So it just seems to be as if the database is saving the password as something else if the code looks right.

I am using phpmyadmin and setting the mode to sha1 on the password field, then entering a password - it then saves this as a string of 12 letters and numbers....

Posted: Thu Dec 13, 2007 4:36 pm
by feyd
Mordred wrote:md5 < sha1 < sha256 (mysql doesn't have SHA256, but you can do the hashing in PHP -- feyd's signature has a link to a PHP4 implementation of SHA256, PHP5 has it native)

I otherwise agree with Jcart, nothing obviously wrong with it, check the values. Also, you must mysql_real_escape_string both variables before running the query.
Correction: PHP 5 has SHA256 though the "hash" extension, which is a configuration directive controlled addition. The class linked from my signature is PHP 5 only, and supports the "hash" extension if it's present, otherwise it will do a pure PHP hashing.

I no longer support any PHP 4 code.

Posted: Thu Dec 13, 2007 4:41 pm
by nickvd
Double check your query...
$query = "SELECT userid FROM usertable WHERE usersname = '$username' AND password= sha1('$passwrd')";
Unless you named the field 'usersname' (as opposed to 'username')

Posted: Thu Dec 13, 2007 5:06 pm
by newbie2php
nickvd wrote:Double check your query...
$query = "SELECT userid FROM usertable WHERE usersname = '$username' AND password= sha1('$passwrd')";
Unless you named the field 'usersname' (as opposed to 'username')
The field name, varible name etc.. are all corect. I have the code working without the sha1 in action (tried with taking the sha1() off the query, and resaving the password without the sha1 method) - it is something to do with sha1 that is causing the issue.

If the code is okay then I guess its something to do with how I am saving the passwords on the database - but I am saving it in sha1 on phpmyadmin - so not sure whats wrong with it

Posted: Thu Dec 13, 2007 5:16 pm
by John Cartwright
Care to try my advice?

Posted: Thu Dec 13, 2007 5:17 pm
by andym01480
I am using phpmyadmin and setting the mode to sha1 on the password field, then entering a password - it then saves this as a string of 12 letters and numbers....
Sha1 seems to be longer than 12 letters and numbers.... So the database field is not big enough!

The example at http://www.php.net/manual/en/function.sha1.php has 40 characters

Code: Select all

<?php
$str = 'apple';

if (sha1($str) === 'd0be2dc421be4fcd0172e5afceea3970e2f3d940') {
    echo "Would you like a green or red apple?";
    exit;
}
?>

Posted: Thu Dec 13, 2007 5:32 pm
by newbie2php
Jcart wrote:Care to try my advice?
Trying the error reporting? - read my post a few up - it comes back fine, the varibles are fine in the script.
Sha1 seems to be longer than 12 letters and numbers.... So the database field is not big enough!
I feel stupid now! This is what was the problem, cheers! :oops:

Posted: Thu Dec 13, 2007 5:54 pm
by John Cartwright
I was referring to showing us sample output ;)