Reply to Re: [PHP] hash issues

Your name:

Reply:


Posted by Richard Lynch on 02/25/05 19:47

Erbacher Karl wrote:
> Thanks for your input, but I've played around with it and now it's uglier
> than ever. I'm very new to PHP, so I'm not sure what I'm missing here.
> I've
> done a few things to try to pinpoint the problem, but now I'm even more
> confused. Can you please look over what I've done and let me know if you
> see any mistakes or if you think there might be another problem?
>
> First, I created a test page where I hashed the values "password1",
> "password2" and "password3" and echoed both the value and the hashed value
> back.For example:
> $val1 = "password1";
> $hashVal1= bin2hex(mhash(MHASH_SHA1, $val1));
> echo "$val1 <br> $hashVal1 <br>";
> The output was fine (always consistent):
> password1
> e38ad214943daad1d64c102faec29de4afe9da3d
> password2
> 2aa60a8ff7fcd473d321e0146afd9e26df395147
> password3
> 1119cfd37ee247357e034a08d844eea25f6fd20f
> I saved the hashed values in the MySQL database so I could try to use them
> to log on. Then, I modified the login form and the page that processes the
> data to see if the problem was there. I included a message to see what
> values were being sent back to me.
> loginform.php:
> if (isset($message))
> echo "<b>$message</b>";
> //create form
> <input type='password' name='passUnhash'>
> $fpass=bin2hex(mhash(MHASH_SHA1, $passUnhash));
> <input type='hidden' name='fpass' value='$fpass'>

But you're storing, literally, '$fpass' here, *NOT* 'e38ad21...a3d'

Use "View Source" in your browser to see what you've got in 'fpass'

You need:
<input type='hidden' name='fpass' value='<?php echo $fpass>'>

TIP:
ALWAYS use "View Source" when you are checking your "HIDDEN" input form
values.

> checklogin.php:
> $logname = $_POST['fusername'];
> $pass = $_POST['fpass'];
> $query2 = "SELECT pass FROM table
> WHERE username='$logname' AND pass='$pass'";

You can also see the problem here:
echo $query, "<hr />\n";

TIP:
Always echo out your queries during development, until you are sure they
are 100% right all the time.
Actually, leave the echo line in there, commented out.
You'll need it again some day, guaranteed. :-)

--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация