sha1() passwd in mysql help... (beginner)

sathyashrayan wrote:

Dear group,

For a log-in page I have created a mysql db and user registers
with a user name and password. The password field is encrypted with

$passwd = sha1($_REQUEST['passwd']);

I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that. Any
help is appreciated. Thanks in advance.

How?
Compare them of course.
The fact that the password is encrypted doesn't make it something else than
a string of bits.

So:
supose you have a table with userid and sha1_passwd:

$passwd = sha1($_REQUEST['passwd']);
$SQL = "SELECT userid FROM tblusers where (sha1_passwd = '".$passwd."');";

Execute it and see if it has a result. If not, no good password, if so, you
have the userid.

Regards,
Erwin Moller

On Mar 26, 4:59 pm, Erwin Moller
<since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:

sathyashrayan wrote:

Dear group,

For a log-in page I have created a mysql db and user registers
with a user name and password. The password field is encrypted with

$passwd = sha1($_REQUEST['passwd']);

I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that. Any
help is appreciated. Thanks in advance.

How?
Compare them of course.
The fact that the password is encrypted doesn't make it something else than
a string of bits.

So:
supose you have a table with userid and sha1_passwd:

$passwd = sha1($_REQUEST['passwd']);
$SQL = "SELECT userid FROM tblusers where (sha1_passwd = '".$passwd."');";

Execute it and see if it has a result. If not, no good password, if so, you
have the userid.

Regards,
Erwin Moller

This way?

<?php
$sha = sha1("sathya"); /*$sha to be inserted in db*/

$new = $sha; /*save the passwd localy*/

if($new === $sha)
echo "correct";
else
echo "wrong";
?>

On 26 Mar, 13:29, "sathyashrayan" <asm_f...@yahoo.co.ukwrote:

On Mar 26, 4:59 pm, Erwin Moller

<since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:

sathyashrayan wrote:

Dear group,

For a log-in page I have created a mysql db and user registers
with a user name and password. The password field is encrypted with

$passwd = sha1($_REQUEST['passwd']);

I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that. Any
help is appreciated. Thanks in advance.

How?
Compare them of course.
The fact that the password is encrypted doesn't make it something else than
a string of bits.

So:
supose you have a table with userid and sha1_passwd:

$passwd = sha1($_REQUEST['passwd']);
$SQL = "SELECT userid FROM tblusers where (sha1_passwd = '".$passwd."');";

Execute it and see if it has a result. If not, no good password, if so, you
have the userid.

Regards,
Erwin Moller

This way?

<?php
$sha = sha1("sathya"); /*$sha to be inserted in db*/

$new = $sha; /*save the passwd localy*/

if($new === $sha)
echo "correct";
else
echo "wrong";
?>

erwin just gave your answer.

registration stage
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha1(users_plaintext_password)

login stage
1. create a random string and store in session on server,
2. send login form with username, password, and random string
3. when user enters password, set password field to
sha1( sha1(users_plaintext_password)+random string ), and post form
auth stage
server computes sha1( users_hashed_password_in_database +
$_SESSION['random_string'] )

if $_POST['password'] ==
sha1( users_hashed_password_in_database + $_SESSION['random_string'] )

then OK, else not.

On 26 Mar, 15:35, "shimmyshack" <matt.fa...@gmail.comwrote:

On 26 Mar, 13:29, "sathyashrayan" <asm_f...@yahoo.co.ukwrote:

On Mar 26, 4:59 pm, Erwin Moller

<since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:

sathyashrayan wrote:
Dear group,

For a log-in page I have created a mysql db and user registers
with a user name and password. The password field is encrypted with

$passwd = sha1($_REQUEST['passwd']);

I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that. Any
help is appreciated. Thanks in advance.

How?
Compare them of course.
The fact that the password is encrypted doesn't make it something else than
a string of bits.

So:
supose you have a table with userid and sha1_passwd:

$passwd = sha1($_REQUEST['passwd']);
$SQL = "SELECT userid FROM tblusers where (sha1_passwd = '".$passwd."');";

Execute it and see if it has a result. If not, no good password, if so, you
have the userid.

Regards,
Erwin Moller

This way?

<?php
$sha = sha1("sathya"); /*$sha to be inserted in db*/

$new = $sha; /*save the passwd localy*/

if($new === $sha)
echo "correct";
else
echo "wrong";
?>

erwin just gave your answer.

registration stage
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha1(users_plaintext_password)

login stage
1. create a random string and store in session on server,
2. send login form with username, password, and random string
3. when user enters password, set password field to
sha1( sha1(users_plaintext_password)+random string ), and post form

auth stage
server computes sha1( users_hashed_password_in_database +
$_SESSION['random_string'] )

if $_POST['password'] ==
sha1( users_hashed_password_in_database + $_SESSION['random_string'] )

then OK, else not.

Sorry Erwin. I should add, that I was assuming that "The password
field is encrypted with" meant that he initially used javascript to
hash the password client side, however on rereading - it doesnt appear
to be the case, so in this case job done, he should just run your code!

On Mar 26, 4:39 pm, "sathyashrayan" <asm_f...@yahoo.co.ukwrote:

Dear group,

For a log-in page I have created a mysql db and user registers
with a user name and password. The password field is encrypted with

$passwd = sha1($_REQUEST['passwd']);

I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that. Any
help is appreciated. Thanks in advance.

Thanks for all the help.

Erwin Moller kirjoitti:

sathyashrayan wrote:

> Dear group,

For a log-in page I have created a mysql db and user registers
with a user name and password. The password field is encrypted with

$passwd = sha1($_REQUEST['passwd']);

I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that. Any
help is appreciated. Thanks in advance.

How?
Compare them of course.
The fact that the password is encrypted doesn't make it something else than
a string of bits.

So:
supose you have a table with userid and sha1_passwd:

$passwd = sha1($_REQUEST['passwd']);
$SQL = "SELECT userid FROM tblusers where (sha1_passwd = '".$passwd."');";

I'd select first the row that matches username and then compare the
password of that row to the sha'd password.

The problem with your method is that two users having the same password
(say "123abc" or "password") can collide. Usernames should be unique,
passwords shouldn't. (Furthermore, if a user tries to set a password and
system reports that it's taken, it opens an unwanted door...)

--
Ra*********@gmail.com
"Olemme apinoiden planeetalla."

shimmyshack wrote:

On 26 Mar, 15:35, "shimmyshack" <matt.fa...@gmail.comwrote:

>On 26 Mar, 13:29, "sathyashrayan" <asm_f...@yahoo.co.ukwrote:

On Mar 26, 4:59 pm, Erwin Moller

<since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:
sathyashrayan wrote:
Dear group,

For a log-in page I have created a mysql db and user
registers
with a user name and password. The password field is encrypted with

$passwd = sha1($_REQUEST['passwd']);

I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that.
Any help is appreciated. Thanks in advance.

How?
Compare them of course.
The fact that the password is encrypted doesn't make it something
else than a string of bits.

So:
supose you have a table with userid and sha1_passwd:

$passwd = sha1($_REQUEST['passwd']);
$SQL = "SELECT userid FROM tblusers where (sha1_passwd =
'".$passwd."');";

Execute it and see if it has a result. If not, no good password, if
so, you have the userid.

Regards,
Erwin Moller

This way?

<?php
$sha = sha1("sathya"); /*$sha to be inserted in db*/

$new = $sha; /*save the passwd localy*/

if($new === $sha)
echo "correct";
else
echo "wrong";
?>

erwin just gave your answer.

registration stage
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha1(users_plaintext_password)

login stage
1. create a random string and store in session on server,
2. send login form with username, password, and random string
3. when user enters password, set password field to
sha1( sha1(users_plaintext_password)+random string ), and post form

auth stage
server computes sha1( users_hashed_password_in_database +
$_SESSION['random_string'] )

if $_POST['password'] ==
sha1( users_hashed_password_in_database + $_SESSION['random_string'] )

then OK, else not.

Sorry Erwin.

Hey! Don't appologize!
Your explanation was a lot better and clearer than my short vague response.
:-)
I didn't even mention a random string. ;-)

Regards,
Erwin

I should add, that I was assuming that "The password

field is encrypted with" meant that he initially used javascript to
hash the password client side, however on rereading - it doesnt appear
to be the case, so in this case job done, he should just run your code!

On 27 Mar, 13:54, Erwin Moller
<since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:

shimmyshack wrote:

On 26 Mar, 15:35, "shimmyshack" <matt.fa...@gmail.comwrote:

On 26 Mar, 13:29, "sathyashrayan" <asm_f...@yahoo.co.ukwrote:

On Mar 26, 4:59 pm, Erwin Moller

<since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:
sathyashrayan wrote:
Dear group,

For a log-in page I have created a mysql db and user
registers
with a user name and password. The password field is encrypted with

$passwd = sha1($_REQUEST['passwd']);

I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that.
Any help is appreciated. Thanks in advance.

How?
Compare them of course.
The fact that the password is encrypted doesn't make it something
else than a string of bits.

So:
supose you have a table with userid and sha1_passwd:

$passwd = sha1($_REQUEST['passwd']);
$SQL = "SELECT userid FROM tblusers where (sha1_passwd =
'".$passwd."');";

Execute it and see if it has a result. If not, no good password, if
so, you have the userid.

Regards,
Erwin Moller

This way?

<?php
$sha = sha1("sathya"); /*$sha to be inserted in db*/

$new = $sha; /*save the passwd localy*/

if($new === $sha)
echo "correct";
else
echo "wrong";
?>

erwin just gave your answer.

registration stage
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha1(users_plaintext_password)

login stage
1. create a random string and store in session on server,
2. send login form with username, password, and random string
3. when user enters password, set password field to
sha1( sha1(users_plaintext_password)+random string ), and post form

auth stage
server computes sha1( users_hashed_password_in_database +
$_SESSION['random_string'] )

if $_POST['password'] ==
sha1( users_hashed_password_in_database + $_SESSION['random_string'] )

then OK, else not.

Sorry Erwin.

Hey! Don't appologize!
Your explanation was a lot better and clearer than my short vague response.
:-)
I didn't even mention a random string. ;-)

Regards,
Erwin

I should add, that I was assuming that "The password

field is encrypted with" meant that he initially used javascript to
hash the password client side, however on rereading - it doesnt appear
to be the case, so in this case job done, he should just run your code!

cool, and of course I forgot to mention that the point of this random
string is to be used as a one-time-pad after the login attempt is
should be expired immediately from the session, and a new form with
new random_string sent and stored in session. this prevents passive
man-in-the-middle attempts to login after you.
You could remove the random_string from the session only after
successful login, but then that would allow the passive guy to grab
your mispelt password, adjust it and try again, (s/he is probably on
your LAN and could know enough to guess the typo) so sending a new one-
time-pad with each login form is best.

It works of course because the server has to compare
if $_POST['password']
with
sha1( users_hashed_password_in_database +
$_SESSION['random_string'] )
so if the random string has gone each time, then the server cannot
compute the same value for
users_hashed_password_in_database + $_SESSION['random_string']
as was sent by user

Remember though, this method just protects the login, if you then use
the presense of the session ID as an "authentication token" anyone
could grab that and replay it, piggybacking on your session.
Piggybacking testing can be fun though, I run a free wireless node
which is unencrypted, and friends and neighbours are happy to know we
can all piggyback if we can sniff the network and adjust the cookies -
it is simply AMAZING how many sites trust the presense of a particular
session id to proove that the user has authenticated and should have
access. It is hard to do prevent this without SSL though, so perhaps
it's just prohibitive dev/cert cost, which is where:
http://www.cacert.org/
comes in!