PHP, MySQL - My own version of SALT (I call salty) - Login Issue

Posted by Fabio Anselmo on Stack Overflow See other posts from Stack Overflow or by Fabio Anselmo
Published on 2012-06-30T01:54:51Z Indexed on 2012/06/30 3:16 UTC
Read the original article Hit count: 218

Filed under:
|
|

Ok I wrote my own version of SALT I call it salty lol don't make fun of me.. Anyway the registration part of my script as follows is working 100% correctly.

    //generate SALTY my own version of SALT and I likes me salt.. lol
    function rand_string( $length ) {
        $chars = "ABCDEFGHIJKLMNOPQRSTUWXYZabcdefghijklmnopqrstuwxyz1234567890";
        $size = strlen( $chars );
        for( $i = 0; $i < $length; $i++ ) {
            $str .= $chars[ rand( 0, $size - 1 ) ];
        }
        return $str;
    } 
    $salty = rand_string( 256 );

    //generate my extra salty pw 
    $password = crypt('password');
    $hash = $password . $salty;
    $newpass = $hash;

    //insert the data in the database
    include ('../../scripts/dbconnect.php');

    //Update db record with my salty pw ;)
                                           // TESTED WITH AND WITHOUT SALTY 
                                          //HENCE $password and $newpass
    mysql_query("UPDATE `Register` SET `Password` = '$password' WHERE `emailinput` = '$email'");
    mysql_close($connect);

However my LOGIN script is failing. I have it setup to TEST and echo if its login or not. It always returns FAILED. I entered the DB and changed the crypted salty pw to "TEST" and I got a SUCCESS. So my problem is somewhere in this LOGIN script I assume. Now I am not sure how to implement my $Salty in this. But also be advised that even without SALTY (just using crypt to store my pass) - I was still unable to perform a login successfully. And if you're gonna suggest i use blowfish - note that my webhost doesn't have it supported and i don't know how to install it.

here's my login script:

if (isset($_POST['formsubmitted'])) 
{
include ('../../scripts/dbconnect.php');

$username = mysql_real_escape_string($_POST['username']);
$password = crypt(mysql_real_escape_string($_POST['password']));

$qry = "SELECT ID FROM Register WHERE emailinput='$username' AND Password='$password'"; 
$result = mysql_query($qry);

if(mysql_num_rows($result) > 0) 
{
    echo 'SUCCESS';
    //START SESSION
}
else
{
    echo 'FAILED';
    //YOU ARE NOT LOGGED IN     
}
}
  1. So what's wrong with this login? Why isn't it working just using the crypt/storing only crypt?

  2. How can i make it work storing both the crypt and randomly generated SALTY :) ?

Ty advance

© Stack Overflow or respective owner

Related posts about php

Related posts about mysql