0

This is my hash code for checking passwords, hashing.php

<?php
        //compare password with hashed one
        public static function check_password($hash,$password) {
            $full_salt=substr($hash,0,29);

            $new_hash=crypt($password,$full_salt);

            return ($hash==$new_hash);
        }
?>

This is login.php

<?php
   require("scripts/hashing.php");              
   $password=$_POST['txtPassword'];

   //checking in database if password exists or not
   $checkPassword=mysql_query("SELECT * from $tbl_name WHERE Password='".$password."'"); 

   $resultPassword=mysql_fetch_array($checkPassword);

   if(!hashing::check_password($resultPassword['Password'],$password)) {
    //back to login
   }
?>

The problem is that, even when users input wrong password, it is allowing the users to login.

EDIT

<?php
    class hashing {

        //blowfish
        private static $algo='$2a';

        //cost parameter
        private static $cost='$10';

        public static function unique_salt() {          
            return substr(sha1(mt_rand()),0,22);
        }

        //generate a hash
        function myhash($password) {                            
            return crypt($password,self::$algo.self::$cost.'$'.self::unique_salt());
        }

        //compare password with hashed one
        public static function check_password($hash,$password) {
            $full_salt=substr($hash,0,29);

            $new_hash=crypt($password,$full_salt);

            return ($hash==$new_hash);
        }               
    }
?>
Improve this question
8
  • die you try to echo the result just before your return statement? echo 'hash: "'.$hash.'"=="'.$new_hash.'"'; Commented Sep 6, 2011 at 18:35
  • What would happen if a user would fill in a password that is not in the database? What would $resultPassword be? And for that value, what would your check_password do? Commented Sep 6, 2011 at 18:38
  • Your logic is flawed. First you get all rows from the database which password IS THE SAME as your given password (straight from the POST, not crypted). Then you check if they are equal? Well guess what - they are! Else the SELECT would not have worked. Commented Sep 6, 2011 at 18:40
  • omg! is my code wrong? I actually followed a tutorial. All I want is an input from txtPassword to check if it exists in database or not. In mysql, "Password" field contains hashed passwords. Commented Sep 6, 2011 at 18:41
  • So the $_POST['txtPassword'] is supposed to be the hashed password? You expect users to type the hashed password? Are you sure you didn't miss a crypt() somewhere? Commented Sep 6, 2011 at 18:43

2 Answers 2

Reset to default
1

You are pulling the raw password from $_POST and comparing it to a hashed password.

// Encrypted so that it can match in the database, otherwise it will never match up
$password = my_crypt_fnction($_POST['txtPassword']);

//checking in database if password exists or not
$checkPassword=mysql_query("SELECT * from $tbl_name WHERE Password='".$password."'");
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Yes. I want it to compare the hashed one in the database
Probably because there are more logical errors in his code. Fixing this is step one.
I really don't know how to do it :( I followed this tutorial:- net.tutsplus.com/tutorials/php/…
@deepz: where are you hashing the password provided by the user? I do not see it. That is the point of my answer.
0

Okay, I used md5 to solve it.

In registration:

$pass_hash=md5(mysql_real_escape_string($_POST['txtPassword']));
$insertQuery="INSERT INTO $tbl_name(Password) VALUES ('".$pass_hash."')";
$insert=mysql_query($insertQuery) or die ("Failed to register");

In login:

$pass_hash=md5(mysql_real_escape_string($_POST['txtPassword']));
$checkLogin=mysql_query("SELECT * from $tbl_name WHERE Username='".$username."'AND Password='".$pass_hash."'"); 
if(mysql_num_rows($checkLogin)==1) {
   $row=mysql_fetch_array($checkLogin);
   echo "Login success!";
}
else {
   echo "Login failed!";
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.