0

I have a issue regarding logging in with password being hashed in database. My current script just tells me 'bad password' message even when its correct.

$s = $mysqli->query("SELECT * FROM `users` WHERE email`='".$_POST['email']."'") or die();
$i = $s->fetch_assoc();
if($_POST['password'] == sha1($i['password'])) {
echo "works";
} else {
    echo "bad password";
}
Jonas Sadiaas
  • 11
  • 1
  • can add an example hashed password string to your question ? – Ivan Barayev Jun 05 '16 at 22:27
  • 4
    Wide open to being hacked –  Jun 05 '16 at 22:28
  • why sha vs md5 http://security.stackexchange.com/questions/19705/is-sha1-better-than-md5-only-because-it-generates-a-hash-of-160-bits – unixmiah Jun 05 '16 at 22:30
  • @unixmiah there's nothing about `md5` in this question.. – chris85 Jun 05 '16 at 22:31
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jun 07 '16 at 12:14
  • [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 07 '16 at 12:14

2 Answers2

5

You are doing it the wrong way round. The database password is already hashed I hope but the user enters a plain text password, so you need to hash what the user enters and see if that matches the hash you have on the database

$s = $mysqli->query("SELECT * FROM `users` WHERE `email`='{$_POST['email']}'") or die();
$i = $s->fetch_assoc();
if(sha1($_POST['password']) == $i['password']) {
    echo "works";
} else {
    echo "bad password";
}

However

Please dont roll your own password hashing. PHP provides password_hash() and password_verify() please use them, I might want to use your site one day And here are some good ideas about passwords If you are using a PHP version prior to 5.5 there is a compatibility pack available here

Also

Your script is at risk of SQL Injection Attack Have a look at what happened to Little Bobby Tables Even if you are escaping inputs, its not safe! Use prepared statement and parameterized statements

Community
  • 1
  • 1
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
-1

Here is an example of how you can verify sha with mysql safely. 

<?php
  // Basic php MYSQL authentication with crypted password

  $username = $_POST['username'];
  $password = $_POST['password'];
  $salt = "CrazyassLongSALTThatMakesYourUsersPasswordVeryLong123!!312567__asdSdas";
  $password = hash('sha256', $salt.$password);
  //echo $password;

  // Mysql connection
  $mysqli = new mysqli("localhost","mysqluser","mysqlpassword","mysqldatabase");
  $stmt = $mysqli->prepare('SELECT userid FROM Users WHERE password = ? AND username = ?');
  // (ss -> string, string) Always bind parameters and use prepared statement to improve security
  $stmt->bind_param("ss", $password, $username);
  $stmt->execute();
  $stmt->bind_result($userid );

  if (!empty($stmt->fetch())) {
    // if fetch is not empty we have results and password hash was correct
    echo "User was found";
  } else
    echo "User was not found";

$mysqli->close();
?>
unixmiah
  • 3,081
  • 1
  • 12
  • 26
  • 2
    This is in no way safe! The salt is constant what makes it a pepper/key, your hashes are unsalted. The usage of SHA256 is not appropriate for hashing passwords, because it is way too fast ([14 Giga SHA256 per second](http://hashcat.net/oclhashcat/#performance)), what makes brute-forcing too easy. Instead use an algorithm with a cost factor: [see password_hash()](http://www.php.net/manual/en/function.password-hash.php). After all, your example uses parametrized queries which is a good thing. – martinstoeckli Jun 06 '16 at 06:45