Geek Answers Handbook

Authorization authorization, how to check if password matches SALT + HASH - PHP + MySQL

I am currently working on a school project, and recently I did not manage to complete login authorization. I use HASH and SALT to register new users. I cannot find any resources that make the session for me, so I decided to create an account here to ask my own question.

This is my register script:

$username = $_POST['username']; $email = $_POST['email']; $first = $_POST['fname']; $last = $_POST['lname']; $salt = crypt("sha512", false); $pass = $_POST['password']; $password = hash("sha512", $salt . $pass . $salt, false); $sql = "INSERT INTO `users` (`username`, `email`, `fname`, `lname`, `salt`, `password`) VALUES ('$username', '$email', '$first', '$last', '$salt', '$password')";

Then I have a checklogin.php script, that is action = "checklogin.php" on my index page, which is the login page. This is the full script: http://pastebin.com/tKrsHaFU (bin insert)

My question is how to check my users who come to the index.php page (login form) with users who are already in the database, remember that I have salt and hash on passwords.

+4
source share
3 answers

Primarily:

 $salt = crypt("sha512", false);

This generates a static salt, i.e. does not change. To create a better option:

 $salt = uniqid(mt_rand(), true); // the paranoid use openssl_random_pseudo_bytes()

To check the record, your SQL will look like this:

 $sql="SELECT * FROM $tbl_name WHERE username='$myusername'"; $result=mysql_query($sql); // ... if ($count==1) { $row = mysql_fetch_assoc($result); if (hash('sha512', $row['salt'] . $_POST['mypassword'] . $row['salt']) == $row['password']) { // validation passed, rejoice! } }

However, you should look here: How do you use bcrypt to hash passwords in PHP?

+5
source

You don’t need to worry so much!

Now the main idea of ​​any script entry, as well as behind a database that stores information about the user, is that we need a minimum value of 1 to be the primary key that uniquely identifies each user. Now in your case, its apt username is represented as the main key.

So all you have to do is just do $data = mysql_query("SELECT * FROM table_name") or die(mysql_error());

Here table_name will be the name of the table in which all user information is stored. Now $info = mysql_fetch_array( $data ); will put all user information in an array.

A simple var_dump($info) will list all your user names along with other user information (just for testing purposes ... u donot wants to display information for users when registering: P)

Just skip this array and map the username provided by new_user to the existing one in the array. In case of coincidence, you can stop it by saying User already exists !! . Else welcomes him to your site.

0
source

See if you can read this article. It shows the general design scheme. http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

If you can get so much work, the next step is to hide the passwords in your database. You can use php md5 () for one-way password encoding. Apply md5 () to the password when the client registers and stores the encoded password. Apply md5 () to the text password that the client enters into the login form. Use the encoded password in the SELECT query. You can combine the solo string into a call to the md5 () function. Just be sure to use the same salt every time.

http://php.net/manual/en/function.md5.php

Best regards, ~ Ray

0
source

More articles:


All Articles