Posted by Erwin Moller on 03/27/07 12:54

shimmyshack wrote:

> On 26 Mar, 15:35, "shimmyshack" <matt.fa...@gmail.com> wrote:
>> On 26 Mar, 13:29, "sathyashrayan" <asm_f...@yahoo.co.uk> wrote:
>>
>>
>>
>> > On Mar 26, 4:59 pm, Erwin Moller
>>
>> > <since_humans_read_this_I_am_spammed_too_m...@spamyourself.com> wrote:
>> > > sathyashrayan wrote:
>> > > > Dear group,
>>
>> > > > For a log-in page I have created a mysql db and user
>> > > > registers
>> > > > with a user name and password. The password field is encrypted with
>>
>> > > > $passwd = sha1($_REQUEST['passwd']);
>>
>> > > > I insert the $passwd in mysql_insert. The password gets
>> > > > encrypted and stored in mysql. Now I want to check if the user has
>> > > > entered the correct password when he logs in. How can I do that.
>> > > > Any help is appreciated. Thanks in advance.
>>
>> > > How?
>> > > Compare them of course.
>> > > The fact that the password is encrypted doesn't make it something
>> > > else than a string of bits.
>>
>> > > So:
>> > > supose you have a table with userid and sha1_passwd:
>>
>> > > $passwd = sha1($_REQUEST['passwd']);
>> > > $SQL = "SELECT userid FROM tblusers where (sha1_passwd =
>> > > '".$passwd."');";
>>
>> > > Execute it and see if it has a result. If not, no good password, if
>> > > so, you have the userid.
>>
>> > > Regards,
>> > > Erwin Moller
>>
>> > This way?
>>
>> > <?php
>> > $sha = sha1("sathya"); /*$sha to be inserted in db*/
>>
>> > $new = $sha; /*save the passwd localy*/
>>
>> > if($new === $sha)
>> > echo "correct";
>> > else
>> > echo "wrong";
>> > ?>
>>
>> erwin just gave your answer.
>>
>> registration stage
>> get user's password at registration - you should do this securely
>> using SSL.
>> hash and store in database = sha1(users_plaintext_password)
>>
>> login stage
>> 1. create a random string and store in session on server,
>> 2. send login form with username, password, and random string
>> 3. when user enters password, set password field to
>> sha1( sha1(users_plaintext_password)+random string ), and post form
>>
>> auth stage
>> server computes sha1( users_hashed_password_in_database +
>> $_SESSION['random_string'] )
>>
>> if $_POST['password'] ==
>> sha1( users_hashed_password_in_database + $_SESSION['random_string'] )
>>
>> then OK, else not.
>
> Sorry Erwin.

Hey! Don't appologize!
Your explanation was a lot better and clearer than my short vague response.
:-)
I didn't even mention a random string. ;-)

Regards,
Erwin

I should add, that I was assuming that "The password
> field is encrypted with" meant that he initially used javascript to
> hash the password client side, however on rereading - it doesnt appear
> to be the case, so in this case job done, he should just run your code!

[Back to original message]