0

Hello,

just created a code for login using encrypted password method when user is registering at that time i made a passsword encryption script. But the main problem is that when it comes to verify login how do i veryfy the password as that password is saved as encrypted password how do i very it

Thank yOU

function hashSSHA($password) {

        $salt = sha1(rand());
        $salt = substr($salt, 0, 10);
        $encrypted = base64_encode(sha1($password . $salt, true) . $salt);
        $hash = array("salt" => $salt, "encrypted" => $encrypted);
        return $hash;
    }

    function adduser($connect) {
        $fname  = $_POST['FirstName'];
        $lname  = $_POST['LastName'];
        $uname  = $_POST['username'];
        $pass   = $_POST['Password'];
        $email  = $_POST['Email'];
        $option = $_POST['SellingInterest'];

        $hash = hashSSHA($pass);
        $encrypted_password = $hash["encrypted"]; // encrypted password
        $salt = $hash["salt"];

        $query  = "INSERT INTO users (fname, lname, username, password, salt, email, interest) VALUES ('$fname', '$lname', '$uname', '$encrypted_password', '$salt', '$email', '$option')";

        $insert = mysqli_query($connect, $query);

        if($insert) {
            $_SESSION["msg"] = "You have successfully registered";
            header("Location: login.php");
        } else {
            $_SESSION["msg"] = "There were some errors";
            header("Location: signup.php");
        }
    }

For login verify I used following script

function verify($connect) {
        $username  = $_POST["username"];
        $password1 = mysqli_real_escape_string($connect, $_POST["password"]);
        $password  = hashSSHA($password1);

        $get_query = mysqli_query($connect, "SELECT * FROM users");

        while($record = mysqli_fetch_assoc($get_query)) {
            $uname = $record{"username"};
            $email = $record["email"];
            $pass  = $record["password"];

            if($username == $uname || $username == $email) {
                if($password == $pass) {
                    $_SESSION["uname"] = $username;
                    $_SESSION["uid"]   = $record["uid"];
                    header("Location: index.php?uid".$_SESSION["uid"]);
                }
            } else {
                $_SESSION["message"] = "Invalid Username/Password provided";
                header("Location: login.php");
            }
        }
    }

password set by user

abc1234

Encrypted password
Eo0kjoQ3oJYQBHEMyxp+xfL8xylkYzJiNzQ4ZGMy

so noticed the condition becomes false

5
Contributors
7
Replies
43
Views
3 Years
Discussion Span
Last Post by tejpal_3
0

My updated verify code

        $get_query = mysqli_query($connect, "SELECT * FROM users");

        while($record = mysqli_fetch_assoc($get_query)) {
            $uname = $record{"username"};
            $email = $record["email"];
            $pass  = $record["password"];

            if($username == $uname || $username == $email) {
                if($password == $pass) {
                    $_SESSION["uname"] = $username;
                    $_SESSION["uid"]   = $record["uid"];
                    header("Location: index.php?uid".$_SESSION["uid"]);
                }
            } else {
                $_SESSION["message"] = "Invalid Username/Password provided";
                header("Location: login.php");
            }
        }
    }
0

To hash ur password,

function Hash($pwd, $salt = null){
    if ($salt === null){
        $salt = substr(md5(uniqid(rand(), true)), 0, 10);
    }
    else     {
        $salt = substr($salt, 0, 10);
    }
    return $salt . sha1($pwd . $salt);
}

To check the hashed password is equivalent to the user keyin

if ($database_hashed_password === Hash($user_key_pass,substr($database_hashed_password,0,10))) 

Edited by Lau_1

1

If you're using PHP >= 5.5.0 consider using the password_hash() and password_verify() functions.

0

Perfect worked for me thank you again @diafol once again.

$password1 = mysqli_real_escape_string($connect, $_POST["password"]);

        $get_query = mysqli_query($connect, "SELECT * FROM users");

        while($record = mysqli_fetch_assoc($get_query)) {
            $uname = $record{"username"};
            $email = $record["email"];
            $pass  = $record["password"];

            $hash=password_hash($password1, PASSWORD_DEFAULT);
            $password  = password_verify($password1, $hash);
1

how to decrypt that password again ?? to get user entered password for forget password function??

Votes + Comments
In a good design you NEVER can decrypt the original password. Or at least it should be insanely hard.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.