Password verification

[svar]

A user accesses a form which reguires a login, so one enters a username and password.
These are to be checked against a database table presumably of the form


username hashed_password ....

so the password entered must be hashed , e.g.

$password=md5($_POST['pass']);

and then compared to the ones in the databas table. So the question is,
how do I know what hashing the database uses? For simplicity, let's confine this to mysql.

 

[jpadie]

how do I know what hashing the database uses? For simplicity, let's confine this to mysql.

what do you mean? the hash is whatever you specify it as.

typically the database table would look like this

userID INT(10), 
userName varchar(255), 
pwd varchar(64)

then you can address the database like this

$sql = "insert into users (userID, userName, pwd) values (NULL, '%s', MD5('%s'))";
mysql_query(sprintf($sql, mysql_real_escape_string($_POST['userName']), mysql_real_escape_string($_POST['password']));

of course, you don't have to use MD5. you can choose whatever scheme you want. If the hashing scheme is not supported natively within mysql then you can just do it within php

$sql = "insert into users (userID, userName, pwd) values (NULL, '%s', '%s')";
mysql_query(sprintf($sql, mysql_real_escape_string($_POST['userName']), mysql_real_escape_string(SHA1($_POST['password'])));

then so long as your application knows what hashing algorithm has been used to INSERT the database rows, it is a simple matter to authenticate the user

$sql = "select count(*) as cnt from users users where userName='%s' and pwd='%s'";
$result = mysql_query(sprintf($sql, mysql_real_escape_string($_POST['userName']), mysql_real_escape_string(SHA1($_POST['password'])));
$row = mysql_fetch_obj($result);
if($row->cnt == 1) // user authenticated

of course you can make the hashing algorithm as complex as you like

function myHash($userName, $pwd){
  return sha1(md5($userName) . '_' . md5($pwd));
}

etc etc...

 

[svar]

Thanks, that was not a PHP question-the point was the database was not created and filled via the web app.

 

[jpadie]

I fail to understand.

1. you say this is not a php question

yet you posted in the php forum​

.
2. you ask how you know what hashing algorithm to use

I provide an answer and an explanation to your question and your underlying issue​

remember that this board does not exist solely for the question-askers. it also exists for those that read it seeking answers. it behoves every participant here to ask their questions in a fulsome and accurate manner; and to provide responses in a similar fashion. If you have solved your own question it behoves you to explain to the community how you solved it, what steps you took, and to post any eventual code that you used. that way everyone learns; which is the purpose of this community.

 

[svar]

jpadie,
the point was not clear perhaps -I apologize for posting here and thanks for your answer. My issue was with a preexisting database holding hashed passwords-with poor documentation on how these were hashed. I was pretty sure it was MD5, but it actually was MD5, converted to upper case and trimmed to VARCHAR(30). Until I figured that out, my first reaction was that maybe something wrong with PHP's md5 hashing, since this is the part I know least. Still, the question as posed was very poor. As should have been clear the database only holds data and does not care how the data was created. So, on this let me apologize again and promise not to ask such questions again.

 

[jpadie]

Trimming an md5 hash sounds like a truly terrible idea. Apart from anything else it increases the chance of (effective) hash collisions.