Posted by shimmyshack on 03/26/07 14:35

On 26 Mar, 13:29, "sathyashrayan" <asm_f...@yahoo.co.uk> wrote:
> On Mar 26, 4:59 pm, Erwin Moller
>
>
>
> <since_humans_read_this_I_am_spammed_too_m...@spamyourself.com> wrote:
> > sathyashrayan wrote:
> > > Dear group,
>
> > > For a log-in page I have created a mysql db and user registers
> > > with a user name and password. The password field is encrypted with
>
> > > $passwd = sha1($_REQUEST['passwd']);
>
> > > I insert the $passwd in mysql_insert. The password gets
> > > encrypted and stored in mysql. Now I want to check if the user has
> > > entered the correct password when he logs in. How can I do that. Any
> > > help is appreciated. Thanks in advance.
>
> > How?
> > Compare them of course.
> > The fact that the password is encrypted doesn't make it something else than
> > a string of bits.
>
> > So:
> > supose you have a table with userid and sha1_passwd:
>
> > $passwd = sha1($_REQUEST['passwd']);
> > $SQL = "SELECT userid FROM tblusers where (sha1_passwd = '".$passwd."');";
>
> > Execute it and see if it has a result. If not, no good password, if so, you
> > have the userid.
>
> > Regards,
> > Erwin Moller
>
> This way?
>
> <?php
> $sha = sha1("sathya"); /*$sha to be inserted in db*/
>
> $new = $sha; /*save the passwd localy*/
>
> if($new === $sha)
> echo "correct";
> else
> echo "wrong";
> ?>

erwin just gave your answer.

registration stage
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha1(users_plaintext_password)

login stage
1. create a random string and store in session on server,
2. send login form with username, password, and random string
3. when user enters password, set password field to
sha1( sha1(users_plaintext_password)+random string ), and post form


auth stage
server computes sha1( users_hashed_password_in_database +
$_SESSION['random_string'] )

if $_POST['password'] ==
sha1( users_hashed_password_in_database + $_SESSION['random_string'] )

then OK, else not.

[Back to original message]