|
|
Posted by shimmyshack on 03/26/07 14:40
On 26 Mar, 15:35, "shimmyshack" <matt.fa...@gmail.com> wrote:
> On 26 Mar, 13:29, "sathyashrayan" <asm_f...@yahoo.co.uk> wrote:
>
>
>
> > On Mar 26, 4:59 pm, Erwin Moller
>
> > <since_humans_read_this_I_am_spammed_too_m...@spamyourself.com> wrote:
> > > sathyashrayan wrote:
> > > > Dear group,
>
> > > > For a log-in page I have created a mysql db and user registers
> > > > with a user name and password. The password field is encrypted with
>
> > > > $passwd = sha1($_REQUEST['passwd']);
>
> > > > I insert the $passwd in mysql_insert. The password gets
> > > > encrypted and stored in mysql. Now I want to check if the user has
> > > > entered the correct password when he logs in. How can I do that. Any
> > > > help is appreciated. Thanks in advance.
>
> > > How?
> > > Compare them of course.
> > > The fact that the password is encrypted doesn't make it something else than
> > > a string of bits.
>
> > > So:
> > > supose you have a table with userid and sha1_passwd:
>
> > > $passwd = sha1($_REQUEST['passwd']);
> > > $SQL = "SELECT userid FROM tblusers where (sha1_passwd = '".$passwd."');";
>
> > > Execute it and see if it has a result. If not, no good password, if so, you
> > > have the userid.
>
> > > Regards,
> > > Erwin Moller
>
> > This way?
>
> > <?php
> > $sha = sha1("sathya"); /*$sha to be inserted in db*/
>
> > $new = $sha; /*save the passwd localy*/
>
> > if($new === $sha)
> > echo "correct";
> > else
> > echo "wrong";
> > ?>
>
> erwin just gave your answer.
>
> registration stage
> get user's password at registration - you should do this securely
> using SSL.
> hash and store in database = sha1(users_plaintext_password)
>
> login stage
> 1. create a random string and store in session on server,
> 2. send login form with username, password, and random string
> 3. when user enters password, set password field to
> sha1( sha1(users_plaintext_password)+random string ), and post form
>
> auth stage
> server computes sha1( users_hashed_password_in_database +
> $_SESSION['random_string'] )
>
> if $_POST['password'] ==
> sha1( users_hashed_password_in_database + $_SESSION['random_string'] )
>
> then OK, else not.
Sorry Erwin. I should add, that I was assuming that "The password
field is encrypted with" meant that he initially used javascript to
hash the password client side, however on rereading - it doesnt appear
to be the case, so in this case job done, he should just run your code!
[Back to original message]
|