Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New to the CF scene
    Join Date
    May 2013
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    mysql select hashed password

    Hello there i have a login script that uses 65 character password and i need to intergrate in to my video chat i have already handler just can't figure out..

    here is the handler.php of video chat
    Code:
    $password = md5($password);
    
    
    
    //Check if user filled login and password in the login screen (Chat authorization)
    if($userName != "" && $password != "")
    {
      $sql = "SELECT * FROM users WHERE username='".$userName."' AND password='".$password."'";
    }
    the problem is its not picking hased password if i type long 65 character i can log but as normal i can't..


    i found in my login script the function for password maybe some one can help.
    Code:
    function generateHash($plainText, $salt = null)
    	{
    		if ($salt === null)
    		{
    			$salt = substr(md5(uniqid(rand(), true)), 0, 25);
    		}
    		else
    		{
    			$salt = substr($salt, 0, 25);
    		}
    	
    		return $salt . sha1($salt . $plainText);
    	}

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,979
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    If you are generating a hash salt, I presume you are storing it in some way? The first code makes no use of a salt. What you need to do is SELECT the password and the salt (or if its hardcoded than provide the variable within it), and then use an if check with it:
    PHP Code:
    if (strcmp(generateHash($password$salt), $storedpassword) == 0)
    {
        
    // aok.

    Where $password is the plain text provided password, $salt is the generated salt either stored as a variable configuration or within the database is fine, and $storedpassword is retrieved from the database based on the username.
    If the salt is stored in the database unique to each record entry (or even on a joinable config table), than you can do it all in a query: SELECT * FROM users WHERE username = '$userName' AND password = CONCAT(dbsalt, SHA1(dbsalt, $password)) looks rightish.

    Personally I'd use PHP for this, as it is a little bit more flexible when it comes to swapping algorithms.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #3
    Junsee
    Guest
    I think you need to explain again, I did not quite understand what is going on in your question!

    But basically you have a unique salt and key generation

    so everytime you encrypt the password you'll come out with a different hash

    which the database won't find.
    Last edited by Junsee; 05-28-2013 at 04:51 PM.

  • #4
    New to the CF scene
    Join Date
    May 2013
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    thx for answer i tried but im getting to many errors here is full handler of video chat maybe understand better.

    Code:
    <?php
    //Connect to users database
    $db = mysql_connect('localhost','root','test') or die(mysql_error());
    mysql_select_db('test',$db) or die(mysql_error());
    
    //Init request parameters
    $userName = (isset($_REQUEST["user_name"])) ? urldecode($_REQUEST["user_name"]) : "";
    $password = (isset($_REQUEST["password"])) ? urldecode($_REQUEST["password"]) : "";
    $uid = (isset($_REQUEST["uid"])) ? urldecode($_REQUEST["uid"]) : "";
    
    
    //Check if user filled login and password in the login screen (Chat authorization)
    if($userName != "" && $password != "")
    {
      $sql = "SELECT * FROM userpie_users WHERE username='".$userName."' AND password ='".$password."'";
    }
    //session/cookie base authorization (Auto login)
    else if ($_SESSION['user_id']!="")
    {
      $sql = "SELECT * FROM users WHERE user_id='".$_SESSION["user_id"]."'";
    }
    // Non session/cookie based autologin authorization
    else if ($uid!="")
    {
      $sql = "SELECT * FROM users WHERE user_id='".$_GET['uid']."'";
    }
    else
    {
      echo '<auth error="AUTH_ERROR" />';
      exit;
    }
    
    //Select user data
    $result = mysql_query($sql,$db);
    
    if(mysql_num_rows($result)==1)
    {
      //User found. get user info
      $usersInfo = mysql_fetch_array($result);
    
      $photo = FLASHCOMS_HTTP_ROOT.'common/images/User1_120.png';
      $photoModeImage =         FLASHCOMS_HTTP_ROOT.'common/images/User1_40.png';	
    
      $answer = '<auth>';
      $answer .= '<userName><![CDATA['.$userName.']]></userName>';
      $answer .= '<gender>male</gender>';
      $answer .= '<age>'.$userInfo['age'].'</age>';
      $answer .= '<level>regular</level>';
      $answer .= '<photo><![CDATA['.$photo.']]></photo>';
      $answer .= '<photoModeImage><![CDATA['.$photoModeImage.']]></photoModeImage>';
      $answer .= '</auth>';
      echo $answer;
      exit;
    }
    else 
    {
      //User not found OR authorization failed
      echo '<auth error="AUTH_ERROR" />';
      exit;
    }
    
    ?>

  • #5
    New to the CF scene
    Join Date
    May 2013
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Junsee View Post
    I think you need to explain again, I did not quite understand what is going on in your question!

    But basically you have a unique salt and key generation

    so everytime you encrypt the password you'll come out with a different hash

    which the database won't find.
    well as i said i have login script already that uses 65 char password for example
    if i registred new user on my website i have in database password like this "e3f5cf461e471e451d81e5377b3cadcb2e6aadad12fb10d5c5c062ba116c6dc30"

    its working on my login script i can login with normal password but i need to do for my video chat as you see i have handler.php from support what i need to do is to integrate with my existing database the problem is i can't login with normal password i have to type that 65 char longer then i can pass login in my video chat.

  • #6
    Junsee
    Guest
    ahh I see, thats what I thought you meant, you need to hash the password that someone login into

    so when I register I use password "test"
    it gets coverted and stored as "e3f5cf461e471e451d81e5377b3cadcb2e6aadad12fb10d5c5c062ba116c6dc30"

    when a user logins in, the user types the password in, and you must convert this value into a md5 hash. Then do a mysql SELECT WHERE

    also remember that you are using unique salts, which changes the hash each time. Remove the salt and just stick with a hash function. (or have a constant salt)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •