2

I want to make a log in script for my website using some special SHA256 encryption and a mysql database linking with it. (And a form ofcourse :P)

I use the Minecraft Plugin "Authme" for the registration. It hashes a password in SHA256 and stores it into a mysql database. But the code $SHA$ce9b7692bd2b8f79$644c2a5710bb93f82471d08234435d7d02b1bbc09aff2cf23370f187aab37716 isn't the same as the SHA256 hashes I made from some websites. 4aae7aba013ffed685a1354a0ebb576b8f1f58997b96cf3ef096282cfe737bff

The developers at Authme gave me a "simple" code to decrypt the password, but I don't know how to fit it within my script.

// @return true if password and nickname match 
function check_password_db($nickname,$password) {
  // Here u have to include your DB connection and select!
  $a=mysql_query("SELECT password FROM authme where username = '$nickname'");
  if(mysql_num_rows($a) == 1 ) {
    $password_info=mysql_fetch_array($a);
    $sha_info = explode("$",$password_info[0]);
  } else 
    return false;
  if( $sha_info[1] === "SHA" ) {
    $salt = $sha_info[2];
    $sha256_password = hash('sha256', $password);
    $sha256_password .= $sha_info[2];;
    if( strcasecmp(trim($sha_info[3]),hash('sha256', $sha256_password) ) == 0 ) 
      return true;
    else return false;
  }
}

So the bottom line is: I want to know how to make a form that logs a user in to my website by checking if he entered the right password by looking at the data in mySQL. If you need more info just reply and I'll give you it. My goal is to make a login script that works with sessions.

The tables i have are ID, am_ (username), password and ip.

Can you give me something like a code to do that? (Making a form with username and password, and look whether its valid or not)

Sorry for my typo's, I come from The Netherlands..

Improve this question
1
  • SHA256 is not encryption, so you can't decrypt it. Commented Apr 5, 2013 at 20:38

3 Answers 3

Reset to default
2

Well, from what I understand: you use some library for registration, and now you want to make a login form that uses the same authorization mechanism used by registration.

In that case you posted the code that should be used for checking the password yourself. Just pass user input to it and make sure the SELECT statement uses correct table and columns.

As for why hashes differ, it's because user input isn't encrypted as sha256(password) but sha256(concat(sha256(password),salt)) where concat is string concatenation operation and salt is additional input, which in this case is equal to part between $ characters (in your example: ce9b7692bd2b8f79).

Additionaly, you cannot "decrypt" hashed data. You can only hash some other data and compare both hashes to check if they are the same. If they are the same, both inputs are (probably) the same. (The "probably" part is because hashing functions are surjections, not bijections.)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

if you put the plain password into the function check_password_db it will check if it's equal to the stored sha256 hash so if that function returns true you can set a set a session variable indicating the user is logged in succesfully.

Improve this answer

Comments

0

The code that you are provided does the work for you. All you have to do is pass the user entered form data to the provided function and check it's return value to determine if the login details are correct or not.

Here is the simplest use case and code to help you out.

User navigates to Login Page (login.html)

    <!-- Login Page - login.html -->
    <form name='login-form' action='login.php' method='POST'>
    Username <input type='text' name='username' value=''></input>
    Password <input type='password' name='password' value=''></input>
    <input type='submit' value='Login' name='submit-button'></input>
    </form>

Once the user enters the login information and clicks 'Submit', it should go to your PHP script page

<?php
/* Login Script - login.php */

//Enable Session
session_start(); 
//Perform Form Submission Checks

$un = $_POST['username'];
$p = $_POST['password'];

//Validate form input data using PHP and mysql best practices to avoid SQL injections and attacks
//Connect to Database

function check_password_db($nickname, $password)
{
   /* Your Code Here */
}

$return_var = check_password_db($un,$p);

if($return_var == true)
{
    //User entered valid data
    $_SESSION['LOGIN'] = TRUE;
    echo "Login Successful";
}
else
{
    //User entered invalid data
    echo "Login Unsuccessful";
}
?>
Improve this answer

5 Comments

Hello! Thank you for your fast reply. Can you please include the script I posted above in your script? I've done it, but the only thing it did was putting ?sha256_password= at the end of my webpage. Can you make something like when it matches it says "YAY! IT WORKS" or something like that?
I don't understand what exact output you're getting. Make sure you are passing data correctly. Use echo statements to debug if you must. I've added a placeholder for your code and I've also added echo/print statements for you.
Hey! I've done everything you say, but when I submit the form, it says <pre>Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in MYDOMAIN on line 19</pre>
Hey! I'm getting an error while trying to submit the script. pastie.org/private/ljyot5pozszjfqsnaaffg Thank you.
Please try following the format listed in example 1 at php.net/manual/en/function.mysql-num-rows.php Please note that mysql_num_rows is deprecated.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.