Page 1 of 1

I've got some hash password questions

Posted: Tue Jan 06, 2009 9:09 pm
by JKM
I'm making a simple form here, and I need some help with hash passwords - without sessions (or is that required?).

- A form where the user can create a password that should be hash protected. I found a script written in asp - but isn't it possible to make a php script for it? The asp script didn't write the password to a MySQL db, so if asp is required for this, I need help adding the password into a database.
- For another form, the user got to select his username from a <select></select> input. So I need a script that checks if the hash password - stored in a MySQL db - is the one he created from the beginning.

Thanks for any help!

Re: I've got some hash password questions

Posted: Tue Jan 06, 2009 11:12 pm
by it2051229
you can use the md5 hash function:
read it here:

http://www.php.net/md5

Re: I've got some hash password questions

Posted: Wed Jan 07, 2009 6:06 am
by kaisellgren
JKM wrote:I'm making a simple form here, and I need some help with hash passwords - without sessions (or is that required?).

- A form where the user can create a password that should be hash protected. I found a script written in asp - but isn't it possible to make a php script for it? The asp script didn't write the password to a MySQL db, so if asp is required for this, I need help adding the password into a database.
- For another form, the user got to select his username from a <select></select> input. So I need a script that checks if the hash password - stored in a MySQL db - is the one he created from the beginning.

Thanks for any help!
You do not need Microsoft products here. Just PHP.

Unlike suggested above, do not use md5(). At least use sha1(), if possible, use sha256 to hash, it can be used like

Code: Select all

$hash = hash('sha256',$pass);

Re: I've got some hash password questions

Posted: Wed Jan 07, 2009 8:48 am
by JKM
Like this?

Code: Select all

<?php
    $pass = $_POST['password'];
    $hash = hash('sha256',$pass);
    # add to mysql db
    
    # $dbpass = get hash pw from mysql db
    
    if($hash === $dbpass) {
        $something
    }
?>

Re: I've got some hash password questions

Posted: Wed Jan 07, 2009 8:49 am
by Syntac
You've got the idea.

Re: I've got some hash password questions

Posted: Wed Jan 07, 2009 5:00 pm
by JKM
Just a little question. How should I do the checkup for the user? Like this?

Code: Select all

"SELECT * FROM xxx WHERE nick='".$_POST['nick']."'";
if($fetch['password'] == $hash) { something }
Btw, syntac: What's the difference of <? and <?php? :)

Re: I've got some hash password questions

Posted: Wed Jan 07, 2009 5:04 pm
by Syntac
<? can be disabled. If it is and you have code that relies on it, you're up a certain creek without a paddle.

On-topic:

Code: Select all

$result = mysql_query("SELECT * FROM xxx WHERE nick = '".mysql_real_escape_string($_POST["nick"])."' AND password = SHA1('".mysql_real_escape_string($_POST["password"])."')");
if(!mysql_num_rows($result)) {
    echo "Try entering valid login credentials, fool!";
}
 

Re: I've got some hash password questions

Posted: Thu Jan 08, 2009 1:45 pm
by JKM
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/halovasj/public_html/pwcheck.php on line 11

Code: Select all

mysql_connect('localhost','xxx','xxx') or die("mysql error");
mysql_select_db("xxx") or die("mysql error");
$pass = $_POST['password'];
$hash = hash('sha256',$pass);
 
$check = mysql_query("SELECT * FROM xxx WHERE nick='".mysql_real_escape_string($_POST["nick"])."' AND password='".$hash."')");
if(!mysql_num_rows($check)) {
    echo 'Wrong password or nick!';
}
else {
    echo 'Eureka!';
}

Re: I've got some hash password questions

Posted: Thu Jan 08, 2009 3:04 pm
by Syntac
You weren't supposed to blindly copy and paste that, it was just a (probably nonfunctional) example. :roll:

Re: I've got some hash password questions

Posted: Thu Jan 08, 2009 4:26 pm
by JKM
Oh, there was just an extra ")" that screwed it up in the query. Thanks for the help! :)

Re: I've got some hash password questions

Posted: Fri Jan 23, 2009 10:42 pm
by aschlosberg
A few things to add:

1) You should "salt" your passwords prior to hashing them. Many people use common words as passwords and hence the hashes are quite common too (see if you can crack 5eb63bbbe01eeed093cb22bb8f5acdc3 by simply Googling it). Salting involves adding some random characters along with the password. When you check it you add the characters in the same position prior to hashing and check (the same thing as above with qwerty on the end produces b6080a1b1cbe76100050f5e66cf3d858 which Google doesn't have).

1b) If you are using the same salt for each user you will end up with the same hash for people that have the same password. Salt the password with the username too in order to provide less information to anyone who comes across the hashed passwords.

2) Probably just a convenience thing that you never escaped the SQL input in the WHERE nick='".$_POST['nick']."' as I noticed you did it later. Even with hashing done properly you open up another door with SQL injections.