Jump to content
MakeWebGames

PHPASS Hashing


PHPDevil
 Share

Recommended Posts

Hey guys, basically trying to use PHPASS for hashing passwords.

I got a issue with my login page where I have this code when it comes to authentication

 

if( $page_mode == 'Login' )
{
require "globe.php"; //db connect
   $username = htmlentities($_POST['username']);
   $username = mysqli_real_escape_string($mysqli, $username);
   $password =mysqli_real_escape_string ($mysqli, $_POST['password']);
   $query = mysqli_query($mysqli, "SELECT * FROM Persons WHERE Username = '$username'");
   $row = mysqli_fetch_assoc($query);
   $numrows = mysqli_num_rows($query);
   $dbuser = $row['Username'];
   $dbpass = $row['Password'];
   $hash_cost_log2 = 8;
   // Do we require the hashes to be portable to older systems (less secure)?
   $hash_portable = FALSE;
   $hasher = new PasswordHash($hash_cost_log2, $hash_portable);
   $hash = $hasher->HashPassword($password);



       if( ($username == '') || ($password == '') ) {
           $error_string .= '<font color=red>You have left either the username or password field blank!</font>';
           }
       else if ($numrows == 1)
       { 
if ($hasher->CheckPassword($dbpass, $hash)) 
{
	$error_string .=  'Authentication succeeded';
	echo $password;
	echo "<br />";
	echo $hash;
	echo "<Br />";
	echo $dbpass;

} else {
	$error_string .=   'Authentication failed';
	echo $password;
	echo "<br />";
	echo $hash;
	echo "<Br />";
	echo $dbpass;

	}



       }
       else 
       {
               $error_string .= '<font color=red>No username can be found! (2)</font>';

       }
   }

 

Ive tried debugging it but can only see that both the dbpassword and the user entered password won't match.

For example....

When i typed in the CORRECT password

i get

the user entered password after hashed: $P$BsFbIyt3TqmiENpkiiFmanysGL3sqy/

and the database password which is correct: $P$BeVDgwR8j3fCeB2AiziyqsXJHNHdJt.

Its driving me mad :(

Link to comment
Share on other sites

Remember one thing with Bcrypt (Which PHPASS uses), is that no 2 passwords are alike. They are always generated differently. But PHPASS->CheckPassword can tell if they are the same.

Take for example this code:

 

<?php
include_once('path/to/phpass/class/hash.php');

$hasher = new Hashing(15, FALSE);

$uniqID = '502e8110d592e';
$password = 'developing';

$hashed = $hasher->HashPassword($uniqID.$password);

echo '======================================================================='.PHP_EOL;
echo 'Hashed: '.$hashed.PHP_EOL;
echo '======================================================================='.PHP_EOL;

?>

 

While you can see, the unique ID and password are not changing. But run that multiple times:

Attempt 1:

=======================================================================

Hashed: $2a$15$Vc35dR.ejQOC080v0HaUyuma0jGCfGNKRs17AWL/kU2nTz538qHE2

=======================================================================

Attempt 2:

=======================================================================

Hashed: $2a$15$szabVlm5dzooEuqbubNcG.eqsIml6KT.1uUnXlo1rCo21LRJC5NA6

=======================================================================

Attempt 3:

=======================================================================

Hashed: $2a$15$Ea1uOA3eMyUX8/jx4ZLro.GK3hjwjhgpxpFvk7ta/v3U0yUoKvTjO

=======================================================================

 

---

As you can see, all 3 are different. But, when validating that password against the password "developing" using the same method (just reversed for the unique id), it is always different, but will always verify.

Now, I do not know if you have a funny password that "MRES (mysqli_real_escape_string)" is breaking, or a simple one where your code is failing.

Edited by HauntedDawg
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...