hashing problems[SOLVED, thanks]

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

toby_c500
Forum Commoner
Posts: 50
Joined: Fri May 11, 2007 11:29 am
Location: Leeds, England

hashing problems[SOLVED, thanks]

Post by toby_c500 »

Hi,

I have added a hash to my user registration form. The script works fine and the password is hashed in my mysql db.

I am now testing the login page and trying to log in but seem to have problems. I have an html form bellow this php which is exited to if the user is not recognized (see bellow).

When I log in, with a user that has md5 hashing, it exits the script and just displays the html form. There are no errors and no other echo's. Just the html form.

Any ideas???

The script:

Code: Select all

error_reporting(E_ALL);
ini_set('display_errors', true);

if ( isset($_POST['loginid'], $password)) {
      	$link = dbconnect();
        mysql_select_db("jobs4alltrades", $link) or die(mysql_error());

$pass = $_POST['password'];

        $loginid = mysql_real_escape_string($_POST['loginid'], $link) or die(mysql_error());
        $password = mysql_real_escape_string(hash('md5', $pass,TRUE), $link) or die(mysql_error());
       
        $query = "SELECT * FROM members WHERE LOWER(loginid)='" . strtolower($loginid) . "' AND `password`='$password'";

        $result = mysql_query($query, $link) or die(mysql_error());
        if (mysql_num_rows($result) >0) {
               $_SESSION['loginid'] = $_POST['loginid'];
                echo '<h1>Welcome ', $_POST['loginid'], "</h1>\n",
                        '<br><a href="sessiontest.php">click here</a>';
                exit;
        }
        else{
                echo "<h1>Sorry</h1><p>There is no match on our records. Please try again or register as a new user.</p>\n";
        }
		
}
Thanks
Last edited by toby_c500 on Fri May 25, 2007 11:44 am, edited 1 time in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Is there a reason you're using binary hash results?
toby_c500
Forum Commoner
Posts: 50
Joined: Fri May 11, 2007 11:29 am
Location: Leeds, England

Post by toby_c500 »

Nope. To be honest I'm not even sure what that means. I'm still learning. I have searched around to find examples of hashing and used that.

Should I set it to FALSE on both login and register pages? What does it actually mean when you use binary?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Hashing functions internally form a binary string of bits that compose the result. Often the result is then converted to a more manageable form such as a hexadecimal string. The database needs them to be encoded the same at any rate. Whether it's using md5() or hash() doesn't overly matter. The spot where you run into trouble is that hash() is a very new function to PHP, md5() is not.
toby_c500
Forum Commoner
Posts: 50
Joined: Fri May 11, 2007 11:29 am
Location: Leeds, England

Post by toby_c500 »

Brilliant, Thanks Feyd.

I will test with md5().

Thanks for the guidance.
toby_c500
Forum Commoner
Posts: 50
Joined: Fri May 11, 2007 11:29 am
Location: Leeds, England

Post by toby_c500 »

I have just tested the md5 (bellow) and had the same result.

Am I missing the point here? Is there fault with my code? I don't understand why it just exits.


Code: Select all

error_reporting(E_ALL);
ini_set('display_errors', true);

if ( isset($_POST['loginid'], $password)) {
      	$link = dbconnect();
        mysql_select_db("jobs4alltrades", $link) or die(mysql_error());

$pass = $_POST['password'];

        $loginid = mysql_real_escape_string($_POST['loginid'], $link) or die(mysql_error());
        $password = mysql_real_escape_string(md5($pass), $link) or die(mysql_error());
       
        $query = "SELECT * FROM members WHERE LOWER(loginid)='" . strtolower($loginid) . "' AND `password`='$password'";

        $result = mysql_query($query, $link) or die(mysql_error());
        if (mysql_num_rows($result) >0) {
               $_SESSION['loginid'] = $_POST['loginid'];
                echo '<h1>Welcome ', $_POST['loginid'], "</h1>\n",
                        '<br><a href="sessiontest.php">click here</a>';
                exit;
        }
        else{
                echo "<h1>Sorry</h1><p>There is no match on our records. Please try again or register as a new user.</p>\n";
        }
		
}
[/syntax]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You have $pass and $password.. which one is the correct one?
toby_c500
Forum Commoner
Posts: 50
Joined: Fri May 11, 2007 11:29 am
Location: Leeds, England

Post by toby_c500 »

I've just noticed an error in my code. While I have been testing I changed a few things round with the isset at the top.

It now reads:

Code: Select all

if ( isset($_POST['loginid'], $_POST['password'])) {
      	$link = dbconnect();
        mysql_select_db("jobs4alltrades", $link) or die(mysql_error());
I login and get the else statement at the bottom:

Code: Select all

  else{
                echo "<h1>Sorry</h1><p>There is no match on our records. Please try again or register as a new user.</p>\n";
        }
toby_c500
Forum Commoner
Posts: 50
Joined: Fri May 11, 2007 11:29 am
Location: Leeds, England

Post by toby_c500 »

New code:

Code: Select all

error_reporting(E_ALL);
ini_set('display_errors', true);

if ( isset($_POST['loginid'], $_POST['password'])) {
      	$link = dbconnect();
        mysql_select_db("jobs4alltrades", $link) or die(mysql_error());

$pass = $_POST['password'];

        $loginid = mysql_real_escape_string($_POST['loginid'], $link) or die(mysql_error());
        $password = mysql_real_escape_string(md5($pass), $link) or die(mysql_error());
       
        $query = "SELECT * FROM members WHERE LOWER(loginid)='" . strtolower($loginid) . "' AND `password`='$password'";

        $result = mysql_query($query, $link) or die(mysql_error());
        if (mysql_num_rows($result) >0) {
               $_SESSION['loginid'] = $_POST['loginid'];
                echo '<h1>Welcome ', $_POST['loginid'], "</h1>\n",
                        '<br><a href="sessiontest.php">click here</a>';
                exit;
        }
        else{
                echo "<h1>Sorry</h1><p>There is no match on our records. Please try again or register as a new user.</p>\n";
        }
		
}
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Have you verified that the query generated by your logging in is correct?
toby_c500
Forum Commoner
Posts: 50
Joined: Fri May 11, 2007 11:29 am
Location: Leeds, England

Post by toby_c500 »

everything was working fine before I put in the hash. I've just checked over it and see anything out of place.

New code:
e

Code: Select all

rror_reporting(E_ALL);
ini_set('display_errors', true);

if ( isset($_POST['loginid'], $_POST['password'])) {
      	$link = dbconnect();
        mysql_select_db("jobs4alltrades", $link) or die(mysql_error());


        $loginid = mysql_real_escape_string($_POST['loginid'], $link) or die(mysql_error());
        $password = mysql_real_escape_string(md5($_POST['password']), $link) or die(mysql_error());
       
        $query = "SELECT * FROM members WHERE LOWER(loginid)='" . strtolower($loginid) . "' AND `password`='$password'";

        $result = mysql_query($query, $link) or die(mysql_error());
        if (mysql_num_rows($result) >0) {
               $_SESSION['loginid'] = $_POST['loginid'];
                echo '<h1>Welcome ', $_POST['loginid'], "</h1>\n",
                        '<br><a href="sessiontest.php">click here</a>';
                exit;
        }
        else{
                echo "<h1>Sorry</h1><p>There is no match on our records. Please try again or register as a new user.</p>\n";
        }
		
}
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Can you post a "SHOW CREATE TABLE" result of the table you are interacting with?
toby_c500
Forum Commoner
Posts: 50
Joined: Fri May 11, 2007 11:29 am
Location: Leeds, England

Post by toby_c500 »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hi Feyd, Thanks again for sticking with me and giving me this help. I have been playing around with phpMyAdmin and got this. I hope it is what you need:


[syntax="sql"]members  	CREATE TABLE `members` (\n 

`loginid` varchar(20) collate latin1_bin NOT NULL,\n 
`password` varchar(20) collate latin1_bin NOT NULL,\n 
`firstname` varchar(50) collate latin1_bin NOT NULL,\n 
`surname` varchar(50) collate latin1_bin NOT NULL,\n 
`email` varchar(50) collate latin1_bin NOT NULL,\n 
`trade` varchar(50) collate latin1_bin NOT NULL,\n 
`address1` varchar(50) collate latin1_bin NOT NULL,\n 
`address2` varchar(50) collate latin1_bin NOT NULL,\n 
`address3` varchar(50) collate latin1_bin default 'no info supplied',\n 
`address4` varchar(50) collate latin1_bin default 'no info supplied',\n 
`postzip` varchar(50) collate latin1_bin default 'no info supplied',\n 
`country` varchar(50) collate latin1_bin NOT NULL,\n 
`yearsexp` varchar(50) collate latin1_bin default 'no info supplied',\n 
`about` varchar(255) collate latin1_bin NOT NULL,\n 
`other` varchar(255) collate latin1_bin default NULL,\n 

PRIMARY KEY  (`loginid`),\n 
KEY `firstname` (`firstname`)\n) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_bin

I must admit, the limited time I have to learn web development has been mainly concentrated on PHP not MySQL.

Thanks again


feyd | Please use[/syntax]

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Have you viewed the MD5 hash of the string you are checking to make sure it is an exact match to that in the database?
toby_c500
Forum Commoner
Posts: 50
Joined: Fri May 11, 2007 11:29 am
Location: Leeds, England

Post by toby_c500 »

Woo Hoo! That has sorted it. Thanks Everah. The varchar was set to 20 an the hash was too long to fit in so cut off short. The query couldn't match it.

Thats great. Thank you guys.

BTW, when you hash something, is there a rule as to how long the hash will be in relation to the password? ie: 1 letter in a string = 5 char in a hash.


Thanks again.
Post Reply