-2

I have a register system set up that hashes registered passwords to sha512. I don't know how to make it login with this type of hashed password. here's my code:

<?php

$host="localhost";
$username="root";
$password="";
$db_name="users";
$tbl_name="users";

mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$username=$_POST['username'];
$password=$_POST['password'];

$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){

session_register("username");
session_register("password");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
Trevor Zucker
  • 135
  • 2
  • 3
  • 8
  • see this answer http://stackoverflow.com/questions/1966154/sha-512-library-for-php#1966162 – Khawer Zeshan Jul 22 '13 at 23:25
  • There are too many things wrong with this - consider reading up on how to *correctly* implement a hash-based password auth store: *don't re-implement authentication insecurely!* Without good knowledge of the concepts, it cannot help but being written incorrectly! Use a proven library instead! This topic has been beat to death and PHP's `crypt` function mostly handles the details. If you're using SHA-x (the number of bits is irrelevant) or not using a salt, or have no idea why the first shouldn't be used and the latter is required, *keep reading* - but really, use *someone else's tested code!* – user2246674 Jul 22 '13 at 23:38
  • For all the answers posted, **unless you address (at least in passing) the issues related to *both* the lack of salt and the poor choice of hash function, you are doing the OP and future readers a disservice**. But again, this has been beat to death .. – user2246674 Jul 22 '13 at 23:42
  • I feel REALLY stupid. I had it correctly before I deleted the code, i found out that I set the limit for the string for the mysql password field 'password' to 99. The passwords are more than 99 characters. – Trevor Zucker Jul 22 '13 at 23:44
  • Using bcrypt, scrypt, or pkdbf2 would all create a *shorter* "password" (it's the *hash of the password*) and - *when used with salt* - would actually result in a verified/valid approach. As it is now: poo. You might as well store the *real* passwords. (Actually, storing the real passwords would still be worse because many people share passwords between sites - uhg, use KeePass and move on - while the chances of them all using this horrid authentication is [hopefully] much lower.) – user2246674 Jul 22 '13 at 23:46

4 Answers4

3

This is really bad:) Read up on SQL injection and why you shoudl use prepared statements instead.

It's strange that you ask how to use the code you've written...

When you sha a string you encrypt it so if you have the sha'd password in the database you simply can't compare them.

You need to ask the user for their password, then create a new string from that that is also sha's and then compare them. SOmething like:

get user password from form
shaPass = hash('sha512', $userInputFromForm);
if(shaPass == passwordFromDatabase){
return true;
}else{
return false;

So, you need a form, you need to ask the user for thier username or email address, whatever it is you've chose and ask them for their password.

In the example above, (which you really should change) you would create the shaPass as I mentioned above and then test the conditions in the database.

If (usernameFromForm == usernameFromDatabase) && (shaPass == passwordFromDatabase){
login = true;
set session data;
redirect to home page
}else{
error etc}

You should get the idea from that

null
  • 3,469
  • 7
  • 41
  • 90
2
$hashed = hash('sha512', $password);
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$hashed'"
Becs Carter
  • 1,250
  • 1
  • 12
  • 27
1

You will need to compare the entered password with the hashed password in the database. To do that you hash the entered password too. If the password is valid the hash should be the same as in the database.

So just add

$password = hash('sha512', $password);

Before the query.

seymar
  • 3,993
  • 6
  • 25
  • 30
1

use hash() function

$password = hash('sha512', $password);

and check if sha512 available using hash_algos():

print_r(hash_algos());