php - Trouble with password verification with salt/password/hash -

-

i've got 1 function create new user generating salt, appending password, , hashing combination. i've got function user login verification, takes user's entered password , adds user's unique salt, hashes, , compares encrypted password in database (see comments throughout code).

i've echoed out important variables in uservalidate() function, can never hash+user password match encrypted password database. can tell me i'm doing wrong?

create user function:

function createnewuser($firstname, $lastname, $email, $password, $address, $city, $state) {      $conn = connectpdo();      // create salt     $salt = mcrypt_create_iv(64, mcrypt_dev_urandom);      // add salt password     $salted_password = $salt.$password;      // hash salt/password combination, added "password" column of database     $encrypted_password = hash('sha256', $salted_password);      $datetime = date("y-m-d h:i:s");      $stmt = $conn->prepare("insert users (`first-name`, `last-name`, `email-address`,                               `password`, `salt`, `address`,                               `city`, `state`,                               `registered-timedate`) values (                                 :field1, :field2, :field3, :field4, :field5, :field6, :field7, :field8, '$datetime')");      return ($stmt->execute(array('field1' => $firstname,                           'field2' => $lastname,                           'field3' => $email,                           'field4' => $encrypted_password,                           'field5' => $salt,                           'field6' => $address,                           'field7' => $city,                           'field8' => $state))); }

validate user's login:

function uservalidate($email, $user_password) {     $conn = connectpdo();     $sql = "select `salt`,`password` users `email-address`='$email'";     $q = $conn->query($sql);     $row = $q->fetch();  // user's unique password salt $salt = $row['salt'];  // find hashed salt/password combination $database_password = $row['password'];  // add salt user's entered password , encrypt $salted_password = $salt.$user_password; $encrypted_password = hash('sha256', $salted_password);   // compare user password/salt hash 1 stored in database if($encrypted_password == $database_password) {     return true; } else {     return false; } }

edit:

i've echo'd vars on registration page , i'm getting salts w/ many special characters "j~Ã×/q,ó¸5 áczçvÁ!—Î/åÿâÑ^:h1z¬mÃf¤º`„ù‹w¡ìe(wúô ww" not going in database verbatim--goes in "4a7ec3d72f00712cf31eb8350f20e1637ae776c1902197ce2f1ae57fff0be2d1135e3a681e315aac4dc346a4ba608402f98b77a1ec126590281157faf40977570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000". data type should use in databsae salts... , shouldn't salting/hashing/comparing generate same 2 encrypted passwords each (because salts still same?)

i suspect run 1 of 2 problems:

  1. the database field hashed password small, field must able store 64 characters.
  2. there problem encoding of salt, keep in mind salt generated mcrypt_create_iv() binary string , can contain character (even \0 characters).

even if can solve problem, have unsafe scheme store passwords (sha256 ways fast hashing passwords). have @ php function password_hash(), generate bcrypt hash , takes care of generation of safe salt. salt part of resulting 62 character string, there no need store salt separately. there exist compatibility pack older php versions.

// hash new password storing in database. // function automatically generates cryptographically safe salt. $hashtostoreindb = password_hash($password, password_bcrypt);  // check if hash of entered login password, matches stored hash. // salt , cost factor extracted $existinghashfromdb. $ispasswordcorrect = password_verify($password, $existinghashfromdb);

Comments

Post a Comment

Popular posts from this blog

c++ - How to add Crypto++ library to Qt project -

-
Image
i downloaded crypto++ source , compiled cryptlib project in visual studio 2013, , added generated .lib file qt project, made .pro file this: qt += core gui qt += sql greaterthan(qt_major_version, 4):qt += widgets target = untitled template = app sources += main.cpp\ mainwindow.cpp headers += mainwindow.h \ databasecontrol.h \ test.h forms += mainwindow.ui win32:config(release, debug|release): libs += -l$$pwd/ -lcryptlib else:win32:config(debug, debug|release): libs += -l$$pwd/ -lcryptlibd else:unix: libs += -l$$pwd/ -lcryptlib includepath += $$pwd/ dependpath += $$pwd/ win32-g++:config(release, debug|release): pre_targetdeps += $$pwd/libcryptlib.a else:win32-g++:config(debug, debug|release): pre_targetdeps += $$pwd/libcryptlibd.a else:win32:!win32-g++:config(release, debug|release): pre_targetdeps += $$pwd/cryptlib.lib else:win32:!win32-g++:config(debug, debug|release): pre_targetdeps += $$pwd/cryptlibd.lib else:unix: pre_targetdeps += $$pw...
Read more

jQuery Mobile app not scrolling in Firefox -

-
i have mobile app built in jquery mobile. scrolling fine in chrome & safari, fails scroll in firefox on desktop. have other instances of same app, different features, , works across browsers. life of me, cannot figure this, please help! located here: http://re-brand.us/dsus/index.html seems bug in firefox: bug log . able scroll using keyboard not trackpad on mac. are using mac? i'll keep looking see if can find way around it.
Read more

how to receive file in java(servlet/jsp) -

-
hi making communication protocol. on web server send 1 file curl(in c# post http request). task been done. how should receive file java on web server gone through this article . file downloading. want receive file java. this link may .. have provide multiprt form data .. http://www.journaldev.com/2122/servlet-3-file-upload-using-multipartconfig-annotation-and-part-interface
Read more