PHPDevil Posted December 18, 2012 Share Posted December 18, 2012 Hey guys, basically trying to use PHPASS for hashing passwords. I got a issue with my login page where I have this code when it comes to authentication if( $page_mode == 'Login' ) { require "globe.php"; //db connect $username = htmlentities($_POST['username']); $username = mysqli_real_escape_string($mysqli, $username); $password =mysqli_real_escape_string ($mysqli, $_POST['password']); $query = mysqli_query($mysqli, "SELECT * FROM Persons WHERE Username = '$username'"); $row = mysqli_fetch_assoc($query); $numrows = mysqli_num_rows($query); $dbuser = $row['Username']; $dbpass = $row['Password']; $hash_cost_log2 = 8; // Do we require the hashes to be portable to older systems (less secure)? $hash_portable = FALSE; $hasher = new PasswordHash($hash_cost_log2, $hash_portable); $hash = $hasher->HashPassword($password); if( ($username == '') || ($password == '') ) { $error_string .= '<font color=red>You have left either the username or password field blank!</font>'; } else if ($numrows == 1) { if ($hasher->CheckPassword($dbpass, $hash)) { $error_string .= 'Authentication succeeded'; echo $password; echo "<br />"; echo $hash; echo "<Br />"; echo $dbpass; } else { $error_string .= 'Authentication failed'; echo $password; echo "<br />"; echo $hash; echo "<Br />"; echo $dbpass; } } else { $error_string .= '<font color=red>No username can be found! (2)</font>'; } } Ive tried debugging it but can only see that both the dbpassword and the user entered password won't match. For example.... When i typed in the CORRECT password i get the user entered password after hashed: $P$BsFbIyt3TqmiENpkiiFmanysGL3sqy/ and the database password which is correct: $P$BeVDgwR8j3fCeB2AiziyqsXJHNHdJt. Its driving me mad :( Quote Link to comment Share on other sites More sharing options...
Aventro Posted December 19, 2012 Share Posted December 19, 2012 One does simply not use mysqli_real_escape_string on password hash Quote Link to comment Share on other sites More sharing options...
HauntedDawg Posted December 19, 2012 Share Posted December 19, 2012 (edited) Remember one thing with Bcrypt (Which PHPASS uses), is that no 2 passwords are alike. They are always generated differently. But PHPASS->CheckPassword can tell if they are the same. Take for example this code: <?php include_once('path/to/phpass/class/hash.php'); $hasher = new Hashing(15, FALSE); $uniqID = '502e8110d592e'; $password = 'developing'; $hashed = $hasher->HashPassword($uniqID.$password); echo '======================================================================='.PHP_EOL; echo 'Hashed: '.$hashed.PHP_EOL; echo '======================================================================='.PHP_EOL; ?> While you can see, the unique ID and password are not changing. But run that multiple times: Attempt 1: ======================================================================= Hashed: $2a$15$Vc35dR.ejQOC080v0HaUyuma0jGCfGNKRs17AWL/kU2nTz538qHE2 ======================================================================= Attempt 2: ======================================================================= Hashed: $2a$15$szabVlm5dzooEuqbubNcG.eqsIml6KT.1uUnXlo1rCo21LRJC5NA6 ======================================================================= Attempt 3: ======================================================================= Hashed: $2a$15$Ea1uOA3eMyUX8/jx4ZLro.GK3hjwjhgpxpFvk7ta/v3U0yUoKvTjO ======================================================================= --- As you can see, all 3 are different. But, when validating that password against the password "developing" using the same method (just reversed for the unique id), it is always different, but will always verify. Now, I do not know if you have a funny password that "MRES (mysqli_real_escape_string)" is breaking, or a simple one where your code is failing. Edited December 19, 2012 by HauntedDawg Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.