php - Trouble with password verification with salt/password/hash -

-

i've got 1 function create new user generating salt, appending password, , hashing combination. i've got function user login verification, takes user's entered password , adds user's unique salt, hashes, , compares encrypted password in database (see comments throughout code).

i've echoed out important variables in uservalidate() function, can never hash+user password match encrypted password database. can tell me i'm doing wrong?

create user function:

function createnewuser($firstname, $lastname, $email, $password, $address, $city, $state) {      $conn = connectpdo();      // create salt     $salt = mcrypt_create_iv(64, mcrypt_dev_urandom);      // add salt password     $salted_password = $salt.$password;      // hash salt/password combination, added "password" column of database     $encrypted_password = hash('sha256', $salted_password);      $datetime = date("y-m-d h:i:s");      $stmt = $conn->prepare("insert users (`first-name`, `last-name`, `email-address`,                               `password`, `salt`, `address`,                               `city`, `state`,                               `registered-timedate`) values (                                 :field1, :field2, :field3, :field4, :field5, :field6, :field7, :field8, '$datetime')");      return ($stmt->execute(array('field1' => $firstname,                           'field2' => $lastname,                           'field3' => $email,                           'field4' => $encrypted_password,                           'field5' => $salt,                           'field6' => $address,                           'field7' => $city,                           'field8' => $state))); }

validate user's login:

function uservalidate($email, $user_password) {     $conn = connectpdo();     $sql = "select `salt`,`password` users `email-address`='$email'";     $q = $conn->query($sql);     $row = $q->fetch();  // user's unique password salt $salt = $row['salt'];  // find hashed salt/password combination $database_password = $row['password'];  // add salt user's entered password , encrypt $salted_password = $salt.$user_password; $encrypted_password = hash('sha256', $salted_password);   // compare user password/salt hash 1 stored in database if($encrypted_password == $database_password) {     return true; } else {     return false; } }

edit:

i've echo'd vars on registration page , i'm getting salts w/ many special characters "j~Ã×/q,ó¸5 áczçvÁ!—Î/åÿâÑ^:h1z¬mÃf¤º`„ù‹w¡ìe(wúô ww" not going in database verbatim--goes in "4a7ec3d72f00712cf31eb8350f20e1637ae776c1902197ce2f1ae57fff0be2d1135e3a681e315aac4dc346a4ba608402f98b77a1ec126590281157faf40977570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000". data type should use in databsae salts... , shouldn't salting/hashing/comparing generate same 2 encrypted passwords each (because salts still same?)

i suspect run 1 of 2 problems:

  1. the database field hashed password small, field must able store 64 characters.
  2. there problem encoding of salt, keep in mind salt generated mcrypt_create_iv() binary string , can contain character (even \0 characters).

even if can solve problem, have unsafe scheme store passwords (sha256 ways fast hashing passwords). have @ php function password_hash(), generate bcrypt hash , takes care of generation of safe salt. salt part of resulting 62 character string, there no need store salt separately. there exist compatibility pack older php versions.

// hash new password storing in database. // function automatically generates cryptographically safe salt. $hashtostoreindb = password_hash($password, password_bcrypt);  // check if hash of entered login password, matches stored hash. // salt , cost factor extracted $existinghashfromdb. $ispasswordcorrect = password_verify($password, $existinghashfromdb);

Comments

Post a Comment

Popular posts from this blog

java - Intellij Synchronizing output directories .. -

-
i trying build project, run in debug mode , keep getting "synchronizing output directories" in intellij. takes around 5-10 minutes actual build. project empty , stored on local drive. tried invalidate catche has not worked. out of ideas .. had similar issues? most likely, of data on network drive or in profile being synchronized network drive. if on windows, try moving .ideaxxx/system directory , work directory somewhere else on c: drive.
Read more

git - Initial Commit: "fatal: could not create leading directories of ..." -

-
i trying make initial commit git repository on github unity project. followed along this guide am. note: reason or another, couldn't set unity's asset serialization mode force text, settled on mixed (which believe should work). when call git clone --bare . , error. note not creator of repository , contributor (though making initial commit). here's in terminal (i'm using git bash): welcome git (version 1.8.4-preview20130916) run 'git git' display index. run 'git <command>' display specific commands. cheddar@cheddar-pc ~ $ cd documents/ics168swarch/ cheddar@cheddar-pc ~/documents/ics168swarch $ git init initialized empty git repository in c:/users/cheddar/documents/ics168swarch/.git / cheddar@cheddar-pc ~/documents/ics168swarch (master) $ git add . warning: lf replaced crlf in assets/prefabs.meta. file have original line endings in working directory. warning: lf replaced crlf in assets/prefabs/pellet.prefab.meta. file have original
Read more