开发者

php salt authentication

开发者 https://www.devze.com 2023-03-12 17:20 出处:网络
Thank you for your honest criticism towards my ignorance in php/mysql and I appreciate your help concerning this issue.

Thank you for your honest criticism towards my ignorance in php/mysql and I appreciate your help concerning this issue.

After making the corrections suggested below 开发者_Python百科I'm running into the issue where the registered

sha1(md5($password).$salt) 

is not === when compared to the login authentication

sha1(md5($password).$row['salt']); 

So I created a script to see what the login script was seeing and it compares the two.

 $query = "UPDATE `users` SET `form_password` = '$encrypted'  WHERE `username` = '$username'";  
     mysql_query($query) or die (mysql_error());

password is registered as "1fcb4bdeb8a98151f5f74a2af0b5045ec277c501"

and being called back as "f2c04d2583f111fcd41288dc75901f6c870cfc6b"

Here is the updated script on login:

else {  

$password = $_POST['password'];
$username = mysql_real_escape_string($_POST['username']);


$sql  =  "SELECT `password`, `salt` FROM `users` WHERE `username` = '$username' LIMIT 0,1";
$result = mysql_query($sql) or die(mysql_error());

if (is_resource($result) && mysql_num_rows($result) > 0){
    $row        =   mysql_fetch_array($result);
    $encrypted  =   sha1(md5($password).$row['salt']);

     if($encrypted === $row['password']){
    header('Location: page3.php');
    exit;
     } else{

     $query = "UPDATE `users` SET `form_password` = '$encrypted'  WHERE `username` = '$username'";  
     mysql_query($query) or die (mysql_error());

    header('Location: page2.php');
    exit;
     }
} else{
header('Location: page4.php');
exit;
}
}


a) How large is your password field in the database? SHA1 hashes are 40 characters long, so if you've got a field size less than that, your hashed password will be truncated.

b) Putting or die() on your $sql = ... line is pointless. Creating a string is extraordinarily unlikely to fail. You need to put the or die() on the line where the query is actually executed:

$sql = "..."
$result = mysql_query($sql) or die(...);

c) Your code is vulnerable to sql injection, as you paste the user-provided username and password directly into your queries without escaping.

d) You don't check if the query to get the user's pw/salt succeeds. If the username is incorrect, the query will retrieve no rows. This isn't an error condition, as the query did what it was supposed to. You need to check, via mysql_num_rows($result) if the query did return a row or not.


You are quoting your column identifiers incorrectly. Use backticks or nothing at all.

SELECT 'salt' FROM table WHERE ....

Will return "salt". Use instead:

SELECT `salt` ....

or

SELECT salt ....

Please also consider the points that Marc B made. They are all good and valid.


You have got so many things wrong there.

Here is your working code:

The db password is encrypted as:

<?php
function generateSalt(){
    // Declare $salt
    $salt = '';

    // And create it with random chars
    for ($i = 0; $i < 2; $i++){
        $salt .= chr(rand(48, 57)) . chr(rand(65, 90)) . chr(rand(97, 122));
    }

    return $salt;
}
$salt       =   generateSalt();
$encrypted  =   sha1(md5($password).$salt);
$query      =   "INSERT INTO `users`(`password`, `salt`) VALUES '$encrypted', '$salt')";
?>

index. php

<?php
function salt() {
    // Declare $salt
    $salt = '';
    
    // And create it with random chars
    for ($i = 0; $i < 2; $i++){
        $salt .= chr(rand(48, 57)) . chr(rand(65, 90)) . chr(rand(97, 122));
    }
    
    return $salt;
 }
 
$password = $_POST['password'];
$username = mysql_real_escape_string($_POST['username']); 

$sql        =   "SELECT `password`, `salt` FROM `users` WHERE `username` = '$username' LIMIT 0,1";
$result     =   mysql_query($sql) or die('Could not access user.');
if(is_resource($result) && mysql_num_rows($result) > 0){
    $row        =   mysql_fetch_array($result);
    $encrypted  =   sha1(md5($password).$row['salt']);

    if($encrypted === $row['password']){
        header('Location: page3.php');
        exit;
    } else{
        header('Location: page2.php');
        exit;
    }
} else{
    header('Location: page2.php');
    exit;
}
?>


i would do this in pseudo-code

$salt='secretword';// that do not change
$encrypted=sha1($password.$salt);

INSERT INTO users (username,password) VALUES($username, $encrypted);

later

//get $username and $password from user input
$encrypted=sha1($password.$salt);
SELECT * FROM users WHERE username='$username' and password='$encrypded' LIMIT 1

note encrypting should be done in php because MySQL will calculate SHA1(..) for each row when matching and is unnecessary waste

0

精彩评论

暂无评论...
验证码 换一张
取 消