开发者

php salt authentication

问答 作者:

Thank you for your honest criticism towards my ignorance in php/mysql and I appreciate your help concerning this issue.

After making the corrections suggested below 开发者_Python百科I'm running into the issue where the registered 

sha1(md5($password).$salt)

is not === when compared to the login authentication 

sha1(md5($password).$row['salt']);

So I created a script to see what the login script was seeing and it compares the two. 

 $query = "UPDATE `users` SET `form_password` = '$encrypted'  WHERE `username` = '$username'";  
     mysql_query($query) or die (mysql_error());

password is registered as "1fcb4bdeb8a98151f5f74a2af0b5045ec277c501"

and being called back as "f2c04d2583f111fcd41288dc75901f6c870cfc6b"

Here is the updated script on login:

else {  

$password = $_POST['password'];
$username = mysql_real_escape_string($_POST['username']);


$sql  =  "SELECT `password`, `salt` FROM `users` WHERE `username` = '$username' LIMIT 0,1";
$result = mysql_query($sql) or die(mysql_error());

if (is_resource($result) && mysql_num_rows($result) > 0){
    $row        =   mysql_fetch_array($result);
    $encrypted  =   sha1(md5($password).$row['salt']);

     if($encrypted === $row['password']){
    header('Location: page3.php');
    exit;
     } else{

     $query = "UPDATE `users` SET `form_password` = '$encrypted'  WHERE `username` = '$username'";  
     mysql_query($query) or die (mysql_error());

    header('Location: page2.php');
    exit;
     }
} else{
header('Location: page4.php');
exit;
}
}

a) How large is your password field in the database? SHA1 hashes are 40 characters long, so if you've got a field size less than that, your hashed password will be truncated.

b) Putting or die() on your $sql = ... line is pointless. Creating a string is extraordinarily unlikely to fail. You need to put the or die() on the line where the query is actually executed:

$sql = "..."
$result = mysql_query($sql) or die(...);

c) Your code is vulnerable to sql injection, as you paste the user-provided username and password directly into your queries without escaping.

d) You don't check if the query to get the user's pw/salt succeeds. If the username is incorrect, the query will retrieve no rows. This isn't an error condition, as the query did what it was supposed to. You need to check, via mysql_num_rows($result) if the query did return a row or not.

You are quoting your column identifiers incorrectly. Use backticks or nothing at all.

SELECT 'salt' FROM table WHERE ....

Will return "salt". Use instead:

SELECT `salt` ....

or

SELECT salt ....

Please also consider the points that Marc B made. They are all good and valid.

You have got so many things wrong there.

Here is your working code:

The db password is encrypted as:

<?php
function generateSalt(){
    // Declare $salt
    $salt = '';

    // And create it with random chars
    for ($i = 0; $i < 2; $i++){
        $salt .= chr(rand(48, 57)) . chr(rand(65, 90)) . chr(rand(97, 122));
    }

    return $salt;
}
$salt       =   generateSalt();
$encrypted  =   sha1(md5($password).$salt);
$query      =   "INSERT INTO `users`(`password`, `salt`) VALUES '$encrypted', '$salt')";
?>

index. php

<?php
function salt() {
    // Declare $salt
    $salt = '';
    
    // And create it with random chars
    for ($i = 0; $i < 2; $i++){
        $salt .= chr(rand(48, 57)) . chr(rand(65, 90)) . chr(rand(97, 122));
    }
    
    return $salt;
 }
 
$password = $_POST['password'];
$username = mysql_real_escape_string($_POST['username']); 

$sql        =   "SELECT `password`, `salt` FROM `users` WHERE `username` = '$username' LIMIT 0,1";
$result     =   mysql_query($sql) or die('Could not access user.');
if(is_resource($result) && mysql_num_rows($result) > 0){
    $row        =   mysql_fetch_array($result);
    $encrypted  =   sha1(md5($password).$row['salt']);

    if($encrypted === $row['password']){
        header('Location: page3.php');
        exit;
    } else{
        header('Location: page2.php');
        exit;
    }
} else{
    header('Location: page2.php');
    exit;
}
?>

i would do this in pseudo-code

$salt='secretword';// that do not change
$encrypted=sha1($password.$salt);

INSERT INTO users (username,password) VALUES($username, $encrypted);

later

//get $username and $password from user input
$encrypted=sha1($password.$salt);
SELECT * FROM users WHERE username='$username' and password='$encrypded' LIMIT 1

note encrypting should be done in php because MySQL will calculate SHA1(..) for each row when matching and is unnecessary waste

继续阅读:authenticationpasswordsphpsalt

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9