1

I have started to work on making a login system and using the crypt function for the encoding of passwords. My problem is that when I register the user with there user and password it all works and saves the username password and salt to the database. here is the code for the registration:

Note: this is only a test register page at the moment

$username=$_POST["username"];
$password=$_POST["password"];


$salt = substr(md5(microtime()),rand(0,26),15);
$hashedPass = crypt($password,'$2y$10$' . $salt);


$sql="INSERT INTO `users`(`id`, `username`, `password`, `salt`, `Perm_level`) VALUES (NULL,'$username','$hashedPass','$salt','test')";
$result=mysql_query($sql);

it encrypts it corrrect so a real example is the password test comes out as: $2y$10$d395985a2ca993f$$$$$$.k8lxPkUCenMKsOJ6V8tdO6Pl/Gl1/OW

and its salt is for:
d395985a2ca993f

When I go to login though I pull the salt out of the database and try to re encrypt it in the same way but I get a different encrypted password... the salt is correct and so is the first part of the password so this part "$2y$10$d395985a2ca993f$$$$$$."

Here is the code below for the login:

$sql="SELECT * FROM `users` WHERE username='$user'";
$result=mysql_query($sql);

while($rows=mysql_fetch_array($result)){
$salt=$rows['salt'];
}

$hashedPass = crypt($password,'$2y$10$' . $salt);

$sql="SELECT * FROM `users`WHERE username='$user' AND `password` = '$hashedPass'";
$result=mysql_query($sql);

    if($result) {
        if(mysql_num_rows($result) == 1) {
            echo "Successful Login";

        }
    }

for the login page the salt is correct but here is the password once it has been hashed: $2y$10$d395985a2ca993f$$$$$$.ccy3PKl.TsG26FWJBFXKmpQ3wtk4AqC

the first part up to the full stop is correct its just the second half is different

I have tried to set the salt to a manual one so like abc or 123 just for tests on the logon and register pages but I still have the same error

BenMorel
  • 34,448
  • 50
  • 182
  • 322
Matthew
  • 195
  • 2
  • 2
  • 18

2 Answers2

0

When you put your values into the database, make sure you escape them. 

$escapeUserName= mysql_real_escape_string($username);
$escapeHashedPass= mysql_real_escape_string($hashedPass);
$escapeSalt= mysql_real_escape_string($salt);

$sql="INSERT INTO `users`(`id`, `username`, `password`, `salt`, `Perm_level`)
      VALUES (NULL,'$escapeUserName','$escapeHashedPass','$escapeSalt','test')";

Otherwise special characters may not be inserted correctly, and you'll get the problem you experience.

Note that these mysql functions are being deprecated and you should use mysqli or PDO instead. If you did, and use parametrized queries, this would never have happened as they handle the escaping for you. This inherently makes them more secure. You should consider using the new functions before you get used to the old ones.

BenMorel
  • 34,448
  • 50
  • 182
  • 322
Robbie
  • 17,605
  • 4
  • 35
  • 72
0

From your code I see you use blowfish hashing.

when use blowfish hashing, your salt need be base64 encoded and after that you have to replace '+' with dot.

And your salt should be 22 character long.

also, best practice is to use a PHP hashing package , like this one http://www.openwall.com/phpass/

very few people can code a correct hashing function. it requires very advanced and specialised knowledge.

anru
  • 1,335
  • 3
  • 16
  • 31