PHP, MySQL - My own version of SALT (I call salty) - Login Issue
Posted
by
Fabio Anselmo
on Stack Overflow
See other posts from Stack Overflow
or by Fabio Anselmo
Published on 2012-06-30T01:54:51Z
Indexed on
2012/06/30
3:16 UTC
Read the original article
Hit count: 218
Ok I wrote my own version of SALT I call it salty lol don't make fun of me.. Anyway the registration part of my script as follows is working 100% correctly.
//generate SALTY my own version of SALT and I likes me salt.. lol
function rand_string( $length ) {
$chars = "ABCDEFGHIJKLMNOPQRSTUWXYZabcdefghijklmnopqrstuwxyz1234567890";
$size = strlen( $chars );
for( $i = 0; $i < $length; $i++ ) {
$str .= $chars[ rand( 0, $size - 1 ) ];
}
return $str;
}
$salty = rand_string( 256 );
//generate my extra salty pw
$password = crypt('password');
$hash = $password . $salty;
$newpass = $hash;
//insert the data in the database
include ('../../scripts/dbconnect.php');
//Update db record with my salty pw ;)
// TESTED WITH AND WITHOUT SALTY
//HENCE $password and $newpass
mysql_query("UPDATE `Register` SET `Password` = '$password' WHERE `emailinput` = '$email'");
mysql_close($connect);
However my LOGIN script is failing. I have it setup to TEST and echo if its login or not. It always returns FAILED. I entered the DB and changed the crypted salty pw to "TEST" and I got a SUCCESS. So my problem is somewhere in this LOGIN script I assume. Now I am not sure how to implement my $Salty in this. But also be advised that even without SALTY (just using crypt to store my pass) - I was still unable to perform a login successfully. And if you're gonna suggest i use blowfish - note that my webhost doesn't have it supported and i don't know how to install it.
here's my login script:
if (isset($_POST['formsubmitted']))
{
include ('../../scripts/dbconnect.php');
$username = mysql_real_escape_string($_POST['username']);
$password = crypt(mysql_real_escape_string($_POST['password']));
$qry = "SELECT ID FROM Register WHERE emailinput='$username' AND Password='$password'";
$result = mysql_query($qry);
if(mysql_num_rows($result) > 0)
{
echo 'SUCCESS';
//START SESSION
}
else
{
echo 'FAILED';
//YOU ARE NOT LOGGED IN
}
}
So what's wrong with this login? Why isn't it working just using the crypt/storing only crypt?
How can i make it work storing both the crypt and randomly generated SALTY :) ?
Ty advance
© Stack Overflow or respective owner