Clever Geek Handbook

PHP / MYSQLi password validation problem using salt

I am having a problem getting the password stored in mysql according to the Login password using salt.

Here is the code for my password creation:

        $hash = hash('sha256', $password);

        function createSalt()
        {
        $text = md5(uniqid(rand(), true));
            return substr($text, 0, 3);
        }

        $salt = createSalt();
        $password = hash('sha256', $salt . $hash);

Here is the code on my login page:

        $userData = $result->fetch_array(MYSQL_ASSOC);

        $hash = hash('sha256', $password);

        $password = hash('sha256', $userData['salt'] . $hash);

        //$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) ); 

        if($password != $userData['Password']) // Incorrect password. So, redirect to login_form again.

There are no errors when creating a password in mysql (the field is filled by ie 0d02a88c1e1057a64df6b3fed4c6ad64e228313b803e9f9b36 ...

While Login creates something like: 51839f9a15dac1f26825f4cd5d2ecf7ae83ea88d440415b04fb6ae41c3a0566f

Just not sure where the problem is. Thanks in advance, I am very new to PHP.

-1


source to share


2 answers


First, you have some kind of confusing variable name here - you are using $ password to represent both a plaintext password and a salt and hash representation. This makes your code difficult to read.

Second, look at your code as a series of states to find where they might go wrong:



  • Password entry. Is the same string passed in both cases? Have you paid attention to gaps and capitalization? Use a test debugger. If the plaintext password is not a byte byte, then the original sha256 hash should show the difference at that point.
  • Salt production / extraction. Have you saved / retrieved the same salt, byte by byte? Again, look at spaces / caps, and also make sure your database isn't truncating or changing the encoding for the string.
  • Compare the lines after they were concatenated, but before the second sha256 operation. By definition, since the end result is different, either your plaintext password or salt is not identical bytes for bytes. This will help you determine if one or both are the culprit.
0


source


Make your life easier and keep your passwords more secure with password_hash () .

SHA- * algorithms are not suitable for hashing passwords because they are too fast. The password_hash () function will not only calculate a more suitable BCrypt hash, but it will also take care of creating a secure salt, and you will not have to store / retrieve the salt in a separate database field (it will become part of the resulting hash value).



// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
0


source






More articles:


All Articles