|
|
Posted by Jason Wong on 02/25/05 20:56
On Friday 25 February 2005 08:36, Erbacher Karl wrote:
> Thanks for your input, but I've played around with it and now it's
> uglier than ever. I'm very new to PHP, so I'm not sure what I'm
> missing here. I've done a few things to try to pinpoint the problem,
> but now I'm even more confused. Can you please look over what I've
> done and let me know if you see any mistakes or if you think there
> might be another problem?
>
> First, I created a test page where I hashed the values "password1",
> "password2" and "password3" and echoed both the value and the hashed
> value back.For example:
> $val1 = "password1";
> $hashVal1= bin2hex(mhash(MHASH_SHA1, $val1));
> echo "$val1 <br> $hashVal1 <br>";
> The output was fine (always consistent):
> password1
> e38ad214943daad1d64c102faec29de4afe9da3d
> password2
> 2aa60a8ff7fcd473d321e0146afd9e26df395147
> password3
> 1119cfd37ee247357e034a08d844eea25f6fd20f
> I saved the hashed values in the MySQL database so I could try to use
> them to log on. Then, I modified the login form and the page that
> processes the data to see if the problem was there. I included a
> message to see what values were being sent back to me.
> loginform.php:
> if (isset($message))
> echo "<b>$message</b>";
> //create form
> <input type='password' name='passUnhash'>
> $fpass=bin2hex(mhash(MHASH_SHA1, $passUnhash));
You didn't read my reply to your original post on this same issue?
When the form is first presented $passUnhash is empty, yet you're
assigning it to $fpass. So first time round you're actually checking the
hash for an empty password, second time round you're using the hash for
password1 to check against username2, etc.
[snip]
> username2, password2, e38ad214943daad1d64c102faec29de4afe9da3d
> (Second try)
Notice that the hash looks suspiciously like 'password1'.
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
New Year Resolution: Ignore top posted posts
Navigation:
[Reply to this message]
|