sha1() passwd in mysql help... (beginner)

**Erwin Moller** · Mar 26 '07, 12:05 PM

Re: sha1() passwd in mysql help... (beginner)

sathyashrayan wrote:

Dear group,
>
For a log-in page I have created a mysql db and user registers
with a user name and password. The password field is encrypted with
>
$passwd = sha1($_REQUEST['passwd']);
>
I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that. Any
help is appreciated. Thanks in advance.

How?
Compare them of course.
The fact that the password is encrypted doesn't make it something else than
a string of bits.

So:
supose you have a table with userid and sha1_passwd:

$passwd = sha1($_REQUEST['passwd']);
$SQL = "SELECT userid FROM tblusers where (sha1_passwd = '".$passwd."'); ";

Execute it and see if it has a result. If not, no good password, if so, you
have the userid.

Regards,
Erwin Moller

**sathyashrayan** · Mar 26 '07, 12:35 PM

Re: sha1() passwd in mysql help... (beginner)

On Mar 26, 4:59 pm, Erwin Moller
<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:

sathyashrayan wrote:

Dear group,

>

For a log-in page I have created a mysql db and user registers
with a user name and password. The password field is encrypted with

>

$passwd = sha1($_REQUEST['passwd']);

>

I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that. Any
help is appreciated. Thanks in advance.

>
How?
Compare them of course.
The fact that the password is encrypted doesn't make it something else than
a string of bits.
>
So:
supose you have a table with userid and sha1_passwd:
>
$passwd = sha1($_REQUEST['passwd']);
$SQL = "SELECT userid FROM tblusers where (sha1_passwd = '".$passwd."'); ";
>
Execute it and see if it has a result. If not, no good password, if so, you
have the userid.
>
Regards,
Erwin Moller

This way?

<?php
$sha = sha1("sathya"); /*$sha to be inserted in db*/

$new = $sha; /*save the passwd localy*/

if($new === $sha)
echo "correct";
else
echo "wrong";
?>

**shimmyshack** · Mar 26 '07, 02:45 PM

Re: sha1() passwd in mysql help... (beginner)

On 26 Mar, 13:29, "sathyashra yan" <asm_f...@yahoo .co.ukwrote:

On Mar 26, 4:59 pm, Erwin Moller
>
>
>
<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:

sathyashrayan wrote:

Dear group,

>

For a log-in page I have created a mysql db and user registers
with a user name and password. The password field is encrypted with

>

$passwd = sha1($_REQUEST['passwd']);

>

I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that. Any
help is appreciated. Thanks in advance.

>

How?
Compare them of course.
The fact that the password is encrypted doesn't make it something else than
a string of bits.

>

So:
supose you have a table with userid and sha1_passwd:

>

$passwd = sha1($_REQUEST['passwd']);
$SQL = "SELECT userid FROM tblusers where (sha1_passwd = '".$passwd."'); ";

>

Execute it and see if it has a result. If not, no good password, if so, you
have the userid.

>

Regards,
Erwin Moller

>
This way?
>
<?php
$sha = sha1("sathya"); /*$sha to be inserted in db*/
>
$new = $sha; /*save the passwd localy*/
>
if($new === $sha)
echo "correct";
else
echo "wrong";
?>

erwin just gave your answer.

registration stage
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha1(users_plai ntext_password)

login stage
1. create a random string and store in session on server,
2. send login form with username, password, and random string
3. when user enters password, set password field to
sha1( sha1(users_plai ntext_password) +random string ), and post form

auth stage
server computes sha1( users_hashed_pa ssword_in_datab ase +
$_SESSION['random_string'] )

if $_POST['password'] ==
sha1( users_hashed_pa ssword_in_datab ase + $_SESSION['random_string'] )

then OK, else not.

**shimmyshack** · Mar 26 '07, 02:45 PM

Re: sha1() passwd in mysql help... (beginner)

On 26 Mar, 15:35, "shimmyshac k" <matt.fa...@gma il.comwrote:

On 26 Mar, 13:29, "sathyashra yan" <asm_f...@yahoo .co.ukwrote:
>
>
>

On Mar 26, 4:59 pm, Erwin Moller

>

<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:

sathyashrayan wrote:
Dear group,

>

For a log-in page I have created a mysql db and user registers
with a user name and password. The password field is encrypted with

>

$passwd = sha1($_REQUEST['passwd']);

>

I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that. Any
help is appreciated. Thanks in advance.

>

How?
Compare them of course.
The fact that the password is encrypted doesn't make it something else than
a string of bits.

>

So:
supose you have a table with userid and sha1_passwd:

>

$passwd = sha1($_REQUEST['passwd']);
$SQL = "SELECT userid FROM tblusers where (sha1_passwd = '".$passwd."'); ";

>

Execute it and see if it has a result. If not, no good password, if so, you
have the userid.

>

Regards,
Erwin Moller

>

This way?

>

<?php
$sha = sha1("sathya"); /*$sha to be inserted in db*/

>

$new = $sha; /*save the passwd localy*/

>

if($new === $sha)
echo "correct";
else
echo "wrong";
?>

>
erwin just gave your answer.
>
registration stage
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha1(users_plai ntext_password)
>
login stage
1. create a random string and store in session on server,
2. send login form with username, password, and random string
3. when user enters password, set password field to
sha1( sha1(users_plai ntext_password) +random string ), and post form
>
auth stage
server computes sha1( users_hashed_pa ssword_in_datab ase +
$_SESSION['random_string'] )
>
if $_POST['password'] ==
sha1( users_hashed_pa ssword_in_datab ase + $_SESSION['random_string'] )
>
then OK, else not.

Sorry Erwin. I should add, that I was assuming that "The password
field is encrypted with" meant that he initially used javascript to
hash the password client side, however on rereading - it doesnt appear
to be the case, so in this case job done, he should just run your code!

**sathyashrayan** · Mar 26 '07, 04:05 PM

Re: sha1() passwd in mysql help... (beginner)

On Mar 26, 4:39 pm, "sathyashra yan" <asm_f...@yahoo .co.ukwrote:

Dear group,
>
For a log-in page I have created a mysql db and user registers
with a user name and password. The password field is encrypted with
>
$passwd = sha1($_REQUEST['passwd']);
>
I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that. Any
help is appreciated. Thanks in advance.

Thanks for all the help.

**Rami Elomaa** · Mar 26 '07, 07:05 PM

Re: sha1() passwd in mysql help... (beginner)

Erwin Moller kirjoitti:

sathyashrayan wrote:
>

> Dear group,
>>
> For a log-in page I have created a mysql db and user registers
>with a user name and password. The password field is encrypted with
>>
> $passwd = sha1($_REQUEST['passwd']);
>>
> I insert the $passwd in mysql_insert. The password gets
>encrypted and stored in mysql. Now I want to check if the user has
>entered the correct password when he logs in. How can I do that. Any
>help is appreciated. Thanks in advance.

>
How?
Compare them of course.
The fact that the password is encrypted doesn't make it something else than
a string of bits.
>
So:
supose you have a table with userid and sha1_passwd:
>
$passwd = sha1($_REQUEST['passwd']);
$SQL = "SELECT userid FROM tblusers where (sha1_passwd = '".$passwd."'); ";

I'd select first the row that matches username and then compare the
password of that row to the sha'd password.

The problem with your method is that two users having the same password
(say "123abc" or "password") can collide. Usernames should be unique,
passwords shouldn't. (Furthermore, if a user tries to set a password and
system reports that it's taken, it opens an unwanted door...)

--
Rami.Elomaa@gma il.com
"Olemme apinoiden planeetalla."

**Erwin Moller** · Mar 27 '07, 12:55 PM

Re: sha1() passwd in mysql help... (beginner)

shimmyshack wrote:

On 26 Mar, 15:35, "shimmyshac k" <matt.fa...@gma il.comwrote:

>On 26 Mar, 13:29, "sathyashra yan" <asm_f...@yahoo .co.ukwrote:
>>
>>
>>

On Mar 26, 4:59 pm, Erwin Moller

>>

<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:
sathyashrayan wrote:
Dear group,

>>

For a log-in page I have created a mysql db and user
registers
with a user name and password. The password field is encrypted with

>>

$passwd = sha1($_REQUEST['passwd']);

>>

I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that.
Any help is appreciated. Thanks in advance.

>>

How?
Compare them of course.
The fact that the password is encrypted doesn't make it something
else than a string of bits.

>>

So:
supose you have a table with userid and sha1_passwd:

>>

$passwd = sha1($_REQUEST['passwd']);
$SQL = "SELECT userid FROM tblusers where (sha1_passwd =
'".$passwd."'); ";

>>

Execute it and see if it has a result. If not, no good password, if
so, you have the userid.

>>

Regards,
Erwin Moller

>>

This way?

>>

<?php
$sha = sha1("sathya"); /*$sha to be inserted in db*/

>>

$new = $sha; /*save the passwd localy*/

>>

if($new === $sha)
echo "correct";
else
echo "wrong";
?>

>>
>erwin just gave your answer.
>>
>registration stage
>get user's password at registration - you should do this securely
>using SSL.
>hash and store in database = sha1(users_plai ntext_password)
>>
>login stage
>1. create a random string and store in session on server,
>2. send login form with username, password, and random string
>3. when user enters password, set password field to
>sha1( sha1(users_plai ntext_password) +random string ), and post form
>>
>auth stage
>server computes sha1( users_hashed_pa ssword_in_datab ase +
>$_SESSION['random_string'] )
>>
>if $_POST['password'] ==
>sha1( users_hashed_pa ssword_in_datab ase + $_SESSION['random_string'] )
>>
>then OK, else not.

>
Sorry Erwin.

Hey! Don't appologize!
Your explanation was a lot better and clearer than my short vague response.
:-)
I didn't even mention a random string. ;-)

Regards,
Erwin

I should add, that I was assuming that "The password

field is encrypted with" meant that he initially used javascript to
hash the password client side, however on rereading - it doesnt appear
to be the case, so in this case job done, he should just run your code!

**shimmyshack** · Mar 27 '07, 02:45 PM

Re: sha1() passwd in mysql help... (beginner)

On 27 Mar, 13:54, Erwin Moller
<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:

shimmyshack wrote:

On 26 Mar, 15:35, "shimmyshac k" <matt.fa...@gma il.comwrote:

On 26 Mar, 13:29, "sathyashra yan" <asm_f...@yahoo .co.ukwrote:

>

On Mar 26, 4:59 pm, Erwin Moller

>

<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:
sathyashrayan wrote:
Dear group,

>

For a log-in page I have created a mysql db and user
registers
with a user name and password. The password field is encrypted with

>

$passwd = sha1($_REQUEST['passwd']);

>

I insert the $passwd in mysql_insert. The password gets
encrypted and stored in mysql. Now I want to check if the user has
entered the correct password when he logs in. How can I do that.
Any help is appreciated. Thanks in advance.

>

How?
Compare them of course.
The fact that the password is encrypted doesn't make it something
else than a string of bits.

>

So:
supose you have a table with userid and sha1_passwd:

>

$passwd = sha1($_REQUEST['passwd']);
$SQL = "SELECT userid FROM tblusers where (sha1_passwd =
'".$passwd."'); ";

>

Execute it and see if it has a result. If not, no good password, if
so, you have the userid.

>

Regards,
Erwin Moller

>

This way?

>

<?php
$sha = sha1("sathya"); /*$sha to be inserted in db*/

>

$new = $sha; /*save the passwd localy*/

>

if($new === $sha)
echo "correct";
else
echo "wrong";
?>

>

erwin just gave your answer.

>

registration stage
get user's password at registration - you should do this securely
using SSL.
hash and store in database = sha1(users_plai ntext_password)

>

login stage
1. create a random string and store in session on server,
2. send login form with username, password, and random string
3. when user enters password, set password field to
sha1( sha1(users_plai ntext_password) +random string ), and post form

>

auth stage
server computes sha1( users_hashed_pa ssword_in_datab ase +
$_SESSION['random_string'] )

>

if $_POST['password'] ==
sha1( users_hashed_pa ssword_in_datab ase + $_SESSION['random_string'] )

>

then OK, else not.

>

Sorry Erwin.

>
Hey! Don't appologize!
Your explanation was a lot better and clearer than my short vague response.
:-)
I didn't even mention a random string. ;-)
>
Regards,
Erwin
>
I should add, that I was assuming that "The password
>

field is encrypted with" meant that he initially used javascript to
hash the password client side, however on rereading - it doesnt appear
to be the case, so in this case job done, he should just run your code!

cool, and of course I forgot to mention that the point of this random
string is to be used as a one-time-pad after the login attempt is
should be expired immediately from the session, and a new form with
new random_string sent and stored in session. this prevents passive
man-in-the-middle attempts to login after you.
You could remove the random_string from the session only after
successful login, but then that would allow the passive guy to grab
your mispelt password, adjust it and try again, (s/he is probably on
your LAN and could know enough to guess the typo) so sending a new one-
time-pad with each login form is best.

It works of course because the server has to compare
if $_POST['password']
with
sha1( users_hashed_pa ssword_in_datab ase +
$_SESSION['random_string'] )
so if the random string has gone each time, then the server cannot
compute the same value for
users_hashed_pa ssword_in_datab ase + $_SESSION['random_string']
as was sent by user

Remember though, this method just protects the login, if you then use
the presense of the session ID as an "authentica tion token" anyone
could grab that and replay it, piggybacking on your session.
Piggybacking testing can be fun though, I run a free wireless node
which is unencrypted, and friends and neighbours are happy to know we
can all piggyback if we can sniff the network and adjust the cookies -
it is simply AMAZING how many sites trust the presense of a particular
session id to proove that the user has authenticated and should have
access. It is hard to do prevent this without SSL though, so perhaps
it's just prohibitive dev/cert cost, which is where:

Welcome to CAcert.org

http://www.cacert.org/

comes in!

sha1() passwd in mysql help... (beginner)

sha1() passwd in mysql help... (beginner)

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment