stackoom
  简体   繁体   中英

How to change a SALT password in a database using PHP?

 原文  2013-02-24 21:27:53       php/ sql/ passwords/ sql-update/ salt

Question

I am using a HTTP POST from android to some php script in order to update a users password in the database.

I am using the same SALT hash as is done when the user creates the account and the database update is running and changing the values of SALT however when I try to log in with the new password it is coming as incorrect.

The initial code for creating the password is: 

public function storeUser($name, $email, $password, $rand) {
    $uuid = uniqid('', true);
    $hash = $this->hashSSHA($password);
    $encrypted_password = $hash["encrypted"]; // encrypted password
    $salt = $hash["salt"]; // salt
    $auth = 0;
    $result = mysql_query("INSERT INTO users(unique_id, authorized, auth_code, name, email, encrypted_password, salt, created_at) VALUES('$uuid', '$auth', '$rand', '$name', '$email', '$encrypted_password', '$salt', NOW())");
    // check for successful store
    if ($result) {
        // get user details 
        $uid = mysql_insert_id(); // last inserted id
        $result = mysql_query("SELECT * FROM users WHERE uid = $uid");
        // return user details
        return mysql_fetch_array($result);
    } else {
        return false;
    }
}

The hashing functions are: 

 /**
 * Encrypting password
 * @param password
 * returns salt and encrypted password
 */
public function hashSSHA($password) {

    $salt = sha1(rand());
    $salt = substr($salt, 0, 10);
    $encrypted = base64_encode(sha1($password . $salt, true) . $salt);
    $hash = array("salt" => $salt, "encrypted" => $encrypted);
    return $hash;
}

/**
 * Decrypting password
 * @param salt, password
 * returns hash string
 */
public function checkhashSSHA($salt, $password) {

    $hash = base64_encode(sha1($password . $salt, true) . $salt);

    return $hash;
}

And finally the update function (where the problem is): 

 /**
 * Updating a users
 * password
 */
public function updatePassword($email, $password) {
    $uuid = uniqid('', true);
    $hash = $this->hashSSHA($password);
    $encrypted_password = $hash["encrypted"]; // encrypted password
    $salt = $hash["salt"]; // salt

    $result = mysql_query("UPDATE users SET encrypted_password='$encrypted_password',  updated_at = NOW() WHERE email='$email'");
    $result = mysql_query("UPDATE users SET salt='$salt',  updated_at = NOW() WHERE email='$email'");


    // check for successful store
    if ($result) {
        // get user details
        $uid = mysql_insert_id(); // last inserted id
        $result = mysql_query("SELECT * FROM users WHERE email = '$email'");
        // return user details
        return mysql_fetch_array($result);
    } else {
        return false;
    }
}

As always any help greatly appreciated.

EDIT:

Login function as requested: 

 /**
 * Get user by email and password
 */
public function getUserByEmailAndPassword($email, $password) {
    $result = mysql_query("SELECT * FROM users WHERE email = '$email'") or die(mysql_error());
    // check for result
    $no_of_rows = mysql_num_rows($result);
    if ($no_of_rows > 0) {
        $result = mysql_fetch_array($result);
        $salt = $result['salt'];
        $encrypted_password = $result['encrypted_password'];
        $hash = $this->checkhashSSHA($salt, $password);
        // check for password equality
        if ($encrypted_password == $hash) {
            // user authentication details are correct
            return $result;
        }
    } else {
        // user not found
        return false;
    }
}

1 answers

solution1
 0  2013-02-26 10:17:28

You have built a weak scheme to hash your passwords, because you use a single iteration of SHA1 as hash function, and because the salt is truncated to 10 characters and is generated with the cryptographically unsafe rand() function. Then you make your life harder than necessary with storing the salt in a separate field.

In your case i would strongly recommend to use the new functions password_hash() and password_verify() of PHP to get a strong BCrypt hash. They take care of the generation of a safe random salt, and the resulting string contains the hash-value as well the salt, so you can store it in a single field in your database. There exists a compatibilty pack for earlier PHP versions.

The easiest way to use this functions will be: 

$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

To answer your question: I couldn't see an obvious reason why it doesn't work, often the problem is a database field that is too short. In your case you need place for a binary SHA1 with a 10 character salt added, that is base64_encoded (difficult to predict the necessary size). It can also be dangerous to combine the binary string from SHA1 (null bytes) with a normal string.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using Salt To Encrypt Password PHP how to encrypt / decrypt password with salt using libsodium php How to include random salt with password variable in php PHP Salt and hashing of password PHP Salt password encryption Encrypt password using jquery and salt then verify salted password hash in php How to replicate password hash for provided password and salt (PHP/MySQL) How to check the password in Mysql Database against the entered one if we are using salt technique? How to write SQL statement for generating encrypted password in MySQL for CakePHP website database using CakePHP hashing algorithm and SALT? decrypt password using salt
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM