Member Avatar for UK-1991

Hello,

just created a code for login using encrypted password method when user is registering at that time i made a passsword encryption script. But the main problem is that when it comes to verify login how do i veryfy the password as that password is saved as encrypted password how do i very it

Thank yOU

function hashSSHA($password) {

        $salt = sha1(rand());
        $salt = substr($salt, 0, 10);
        $encrypted = base64_encode(sha1($password . $salt, true) . $salt);
        $hash = array("salt" => $salt, "encrypted" => $encrypted);
        return $hash;
    }

    function adduser($connect) {
        $fname  = $_POST['FirstName'];
        $lname  = $_POST['LastName'];
        $uname  = $_POST['username'];
        $pass   = $_POST['Password'];
        $email  = $_POST['Email'];
        $option = $_POST['SellingInterest'];

        $hash = hashSSHA($pass);
        $encrypted_password = $hash["encrypted"]; // encrypted password
        $salt = $hash["salt"];

        $query  = "INSERT INTO users (fname, lname, username, password, salt, email, interest) VALUES ('$fname', '$lname', '$uname', '$encrypted_password', '$salt', '$email', '$option')";

        $insert = mysqli_query($connect, $query);

        if($insert) {
            $_SESSION["msg"] = "You have successfully registered";
            header("Location: login.php");
        } else {
            $_SESSION["msg"] = "There were some errors";
            header("Location: signup.php");
        }
    }

For login verify I used following script

function verify($connect) {
        $username  = $_POST["username"];
        $password1 = mysqli_real_escape_string($connect, $_POST["password"]);
        $password  = hashSSHA($password1);

        $get_query = mysqli_query($connect, "SELECT * FROM users");

        while($record = mysqli_fetch_assoc($get_query)) {
            $uname = $record{"username"};
            $email = $record["email"];
            $pass  = $record["password"];

            if($username == $uname || $username == $email) {
                if($password == $pass) {
                    $_SESSION["uname"] = $username;
                    $_SESSION["uid"]   = $record["uid"];
                    header("Location: index.php?uid".$_SESSION["uid"]);
                }
            } else {
                $_SESSION["message"] = "Invalid Username/Password provided";
                header("Location: login.php");
            }
        }
    }

password set by user

abc1234

Encrypted password
Eo0kjoQ3oJYQBHEMyxp+xfL8xylkYzJiNzQ4ZGMy

so noticed the condition becomes false

  • 5 Contributors
  • 7 Replies
  • 2K Views
  • 2 Years Discussion Span
  • Latest Post Latest Post by tejpal_3

Recommended Answers

All 7 Replies

Member Avatar for UK-1991

My updated verify code

        $get_query = mysqli_query($connect, "SELECT * FROM users");

        while($record = mysqli_fetch_assoc($get_query)) {
            $uname = $record{"username"};
            $email = $record["email"];
            $pass  = $record["password"];

            if($username == $uname || $username == $email) {
                if($password == $pass) {
                    $_SESSION["uname"] = $username;
                    $_SESSION["uid"]   = $record["uid"];
                    header("Location: index.php?uid".$_SESSION["uid"]);
                }
            } else {
                $_SESSION["message"] = "Invalid Username/Password provided";
                header("Location: login.php");
            }
        }
    }
Member Avatar for Lau_1

To hash ur password,

function Hash($pwd, $salt = null){
    if ($salt === null){
        $salt = substr(md5(uniqid(rand(), true)), 0, 10);
    }
    else     {
        $salt = substr($salt, 0, 10);
    }
    return $salt . sha1($pwd . $salt);
}

To check the hashed password is equivalent to the user keyin

if ($database_hashed_password === Hash($user_key_pass,substr($database_hashed_password,0,10)))
Edited by Lau_1
Member Avatar for diafol

If you're using PHP >= 5.5.0 consider using the password_hash() and password_verify() functions.

Member Avatar for mattster

Note: read http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash

sha1 is not safe, do not use it! Have a read through this and at the very least use the crypt() function.

Lau has sort of narrowed down how to do the login system: hash the corrct password when saving the user, hash the entered login password in the same way, if they're the same it's all good - otherwise it's an imposter.

Member Avatar for mattster

Sorry @diafol you just beat me to it ;)

Member Avatar for UK-1991

Perfect worked for me thank you again @diafol once again.

$password1 = mysqli_real_escape_string($connect, $_POST["password"]);

        $get_query = mysqli_query($connect, "SELECT * FROM users");

        while($record = mysqli_fetch_assoc($get_query)) {
            $uname = $record{"username"};
            $email = $record["email"];
            $pass  = $record["password"];

            $hash=password_hash($password1, PASSWORD_DEFAULT);
            $password  = password_verify($password1, $hash);
Member Avatar for tejpal_3

how to decrypt that password again ?? to get user entered password for forget password function??

commented: In a good design you NEVER can decrypt the original password. Or at least it should be insanely hard. +15
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.