Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Password verification

Status
Not open for further replies.

svar

Programmer
Aug 12, 2001
349
GR
A user accesses a form which reguires a login, so one enters a username and password.
These are to be checked against a database table presumably of the form


username hashed_password ....

so the password entered must be hashed , e.g.
Code:
$password=md5($_POST['pass']);


and then compared to the ones in the databas table. So the question is,
how do I know what hashing the database uses? For simplicity, let's confine this to mysql.
 
how do I know what hashing the database uses? For simplicity, let's confine this to mysql.

what do you mean? the hash is whatever you specify it as.

typically the database table would look like this
Code:
userID INT(10), 
userName varchar(255), 
pwd varchar(64)

then you can address the database like this

Code:
$sql = "insert into users (userID, userName, pwd) values (NULL, '%s', MD5('%s'))";
mysql_query(sprintf($sql, mysql_real_escape_string($_POST['userName']), mysql_real_escape_string($_POST['password']));

of course, you don't have to use MD5. you can choose whatever scheme you want. If the hashing scheme is not supported natively within mysql then you can just do it within php

Code:
$sql = "insert into users (userID, userName, pwd) values (NULL, '%s', '%s')";
mysql_query(sprintf($sql, mysql_real_escape_string($_POST['userName']), mysql_real_escape_string(SHA1($_POST['password'])));


then so long as your application knows what hashing algorithm has been used to INSERT the database rows, it is a simple matter to authenticate the user

Code:
$sql = "select count(*) as cnt from users users where userName='%s' and pwd='%s'";
$result = mysql_query(sprintf($sql, mysql_real_escape_string($_POST['userName']), mysql_real_escape_string(SHA1($_POST['password'])));
$row = mysql_fetch_obj($result);
if($row->cnt == 1) // user authenticated

of course you can make the hashing algorithm as complex as you like

Code:
function myHash($userName, $pwd){
  return sha1(md5($userName) . '_' . md5($pwd));
}
etc etc...
 
Thanks, that was not a PHP question-the point was the database was not created and filled via the web app.
 
I fail to understand.

1. you say this is not a php question
yet you posted in the php forum​
.

2. you ask how you know what hashing algorithm to use
I provide an answer and an explanation to your question and your underlying issue​

remember that this board does not exist solely for the question-askers. it also exists for those that read it seeking answers. it behoves every participant here to ask their questions in a fulsome and accurate manner; and to provide responses in a similar fashion. If you have solved your own question it behoves you to explain to the community how you solved it, what steps you took, and to post any eventual code that you used. that way everyone learns; which is the purpose of this community.
 
jpadie,
the point was not clear perhaps -I apologize for posting here and thanks for your answer. My issue was with a preexisting database holding hashed passwords-with poor documentation on how these were hashed. I was pretty sure it was MD5, but it actually was MD5, converted to upper case and trimmed to VARCHAR(30). Until I figured that out, my first reaction was that maybe something wrong with PHP's md5 hashing, since this is the part I know least. Still, the question as posed was very poor. As should have been clear the database only holds data and does not care how the data was created. So, on this let me apologize again and promise not to ask such questions again.
 
Trimming an md5 hash sounds like a truly terrible idea. Apart from anything else it increases the chance of (effective) hash collisions.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top