I've got some hash password questions
Moderator: General Moderators
I've got some hash password questions
I'm making a simple form here, and I need some help with hash passwords - without sessions (or is that required?).
- A form where the user can create a password that should be hash protected. I found a script written in asp - but isn't it possible to make a php script for it? The asp script didn't write the password to a MySQL db, so if asp is required for this, I need help adding the password into a database.
- For another form, the user got to select his username from a <select></select> input. So I need a script that checks if the hash password - stored in a MySQL db - is the one he created from the beginning.
Thanks for any help!
- A form where the user can create a password that should be hash protected. I found a script written in asp - but isn't it possible to make a php script for it? The asp script didn't write the password to a MySQL db, so if asp is required for this, I need help adding the password into a database.
- For another form, the user got to select his username from a <select></select> input. So I need a script that checks if the hash password - stored in a MySQL db - is the one he created from the beginning.
Thanks for any help!
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: I've got some hash password questions
You do not need Microsoft products here. Just PHP.JKM wrote:I'm making a simple form here, and I need some help with hash passwords - without sessions (or is that required?).
- A form where the user can create a password that should be hash protected. I found a script written in asp - but isn't it possible to make a php script for it? The asp script didn't write the password to a MySQL db, so if asp is required for this, I need help adding the password into a database.
- For another form, the user got to select his username from a <select></select> input. So I need a script that checks if the hash password - stored in a MySQL db - is the one he created from the beginning.
Thanks for any help!
Unlike suggested above, do not use md5(). At least use sha1(), if possible, use sha256 to hash, it can be used like
Code: Select all
$hash = hash('sha256',$pass);Re: I've got some hash password questions
Like this?
Code: Select all
<?php
$pass = $_POST['password'];
$hash = hash('sha256',$pass);
# add to mysql db
# $dbpass = get hash pw from mysql db
if($hash === $dbpass) {
$something
}
?>Re: I've got some hash password questions
You've got the idea.
Re: I've got some hash password questions
Just a little question. How should I do the checkup for the user? Like this?
Btw, syntac: What's the difference of <? and <?php? 
Code: Select all
"SELECT * FROM xxx WHERE nick='".$_POST['nick']."'";
if($fetch['password'] == $hash) { something }Re: I've got some hash password questions
<? can be disabled. If it is and you have code that relies on it, you're up a certain creek without a paddle.
On-topic:
On-topic:
Code: Select all
$result = mysql_query("SELECT * FROM xxx WHERE nick = '".mysql_real_escape_string($_POST["nick"])."' AND password = SHA1('".mysql_real_escape_string($_POST["password"])."')");
if(!mysql_num_rows($result)) {
echo "Try entering valid login credentials, fool!";
}
Re: I've got some hash password questions
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/halovasj/public_html/pwcheck.php on line 11
Code: Select all
mysql_connect('localhost','xxx','xxx') or die("mysql error");
mysql_select_db("xxx") or die("mysql error");
$pass = $_POST['password'];
$hash = hash('sha256',$pass);
$check = mysql_query("SELECT * FROM xxx WHERE nick='".mysql_real_escape_string($_POST["nick"])."' AND password='".$hash."')");
if(!mysql_num_rows($check)) {
echo 'Wrong password or nick!';
}
else {
echo 'Eureka!';
}Re: I've got some hash password questions
You weren't supposed to blindly copy and paste that, it was just a (probably nonfunctional) example. 
Re: I've got some hash password questions
Oh, there was just an extra ")" that screwed it up in the query. Thanks for the help! 
-
aschlosberg
- Forum Newbie
- Posts: 24
- Joined: Fri Jan 23, 2009 10:17 pm
Re: I've got some hash password questions
A few things to add:
1) You should "salt" your passwords prior to hashing them. Many people use common words as passwords and hence the hashes are quite common too (see if you can crack 5eb63bbbe01eeed093cb22bb8f5acdc3 by simply Googling it). Salting involves adding some random characters along with the password. When you check it you add the characters in the same position prior to hashing and check (the same thing as above with qwerty on the end produces b6080a1b1cbe76100050f5e66cf3d858 which Google doesn't have).
1b) If you are using the same salt for each user you will end up with the same hash for people that have the same password. Salt the password with the username too in order to provide less information to anyone who comes across the hashed passwords.
2) Probably just a convenience thing that you never escaped the SQL input in the WHERE nick='".$_POST['nick']."' as I noticed you did it later. Even with hashing done properly you open up another door with SQL injections.
1) You should "salt" your passwords prior to hashing them. Many people use common words as passwords and hence the hashes are quite common too (see if you can crack 5eb63bbbe01eeed093cb22bb8f5acdc3 by simply Googling it). Salting involves adding some random characters along with the password. When you check it you add the characters in the same position prior to hashing and check (the same thing as above with qwerty on the end produces b6080a1b1cbe76100050f5e66cf3d858 which Google doesn't have).
1b) If you are using the same salt for each user you will end up with the same hash for people that have the same password. Salt the password with the username too in order to provide less information to anyone who comes across the hashed passwords.
2) Probably just a convenience thing that you never escaped the SQL input in the WHERE nick='".$_POST['nick']."' as I noticed you did it later. Even with hashing done properly you open up another door with SQL injections.