How to add sha1 hash password to LOGIN page

Hi guys I have a script which i've been playing around with for over a day now with no luck!

Now i can't seem to correctly create a login page to pass the hashed password using (sha1).

Now all i want to do is verify the username and the (hashed) password according to the database and allow the user in. The script i am using to check login works fine without a hashed password in the database. But ideally i'd like to use a hashed form of password.

Can somebody show me what change i need to make in this script below in order to pass a sha1 hashed password? I'm guessing it's a really small change from the examples i've seen online, but i just cant seem to get mine to work. :|

Your help would be much appreciated.

Login Page PHP:

<form name="login" method="post" action="check_login.php3">
<p><strong>Secured Area User Log-in</strong></p>
<p>Username: <input name="bioname" type="text" id="bioname"></p>
<p>Password: <input name="biopass" type="password" id="biopass"></p>
<p> </p>
<p><input type="submit" name="Submit" value="Login"></p>
</form>

PHP:

Check Login Processor (which is the file i that needs the sha1 added somewhere i think)

<?php
require_once('config.php3');

// Connect to the server and select the database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db")or die("Unable to select database");


//
$loginusername = false;
$loginpassword = false;


$err = false; // default error message is empty

// The username and password sent from login.php
//the isset() basically means if its there get it, otherwise dont bother

if (isset($_POST['bioname'])) $loginusername=$_POST['bioname'];
if (isset($_POST['biopass']))$loginpassword=$_POST['biopass'];

// if either isnt filled in, tell the user, a very basic bit of validation

if (!$loginusername || !$loginpassword) $err = "please complete the form";
if (!$err) //if no error continue

{
	//The following bit of coding protects from MySQL injection attacks

	$loginusername = stripslashes($loginusername);
	$loginpassword = stripslashes($loginpassword);
	$loginusername = mysql_real_escape_string($loginusername);
	$loginpassword = mysql_real_escape_string($loginpassword);

	//you could add other things like check for text only blah blah

	$sql="SELECT * FROM $tbl WHERE bioname='$loginusername' and biopass='$loginpassword'";

	$result=mysql_query($sql);
	// Count how many results were pulled from the table
	$count=mysql_num_rows($result);

	// If the result equals 1, continue
	if($count==1)
	{
		session_start();
		$_SESSION['user'] = $loginusername; // store session data
		//please see I have used a session variable that is generic not specific, otherwise you will have to make this page different for every user
		//that would be a pain in the ass, you don't need to have user1 or user2, its the value stored that relevant, not what the variable name is
		header("Location: {$loginusername}/index.php3");
		
	}
	else 
	{
	$err = "Wrong Username or Password";
	}
}// end login if statement

if ($err) // show error message if there is one
{
	echo $err;
	echo "<br>Please go back in your browser and try again";
}
?>

PHP:

The secure page:

<?php
session_start(); 

$mypath = $_SERVER["REQUEST_URI"];
//echo $mypath; // for debugging
//now we have the path lets see if the username is in that path, i.e. test2 is inside /something/test2/index.php 
//use the built in strpos() function, which returns position of the last occurance of the string you are looking for inside another string.
//http://php.net/manual/en/function.strrpos.php

if(strpos($mypath,"/".$_SESSION['user']."/"))//on testing it failed initially as username test is found in path /test2/ so i added the slashes to stop that. so /test/ doesnt get found in /test2/
{
	echo "congratulations you are the right person in the right place";
}
else
{
 session_destroy(); //kill the session, naughty person trying to come here
 header("Location: ../login.php3");
 die();// stop page executing any further
}

?>

<html>
<body>


</body>
</html>

PHP:

Thanks and i look forward to your replies.

 

Just use $loginpassword = sha1($loginpassword); somewhere before you run the sql query.

You will also need to ensure that all the passwords in your database have been encrypted using sha1. If they are plain text you'll have to write a quick php script to update all the records passwords to be hashed using sha1

 

Also while your at it, if you are going to make the jump to hashing (which is essential these days) you might as well get into the habit of hashing with salt and pepper for added security.

Sorry for the double post and slight offtopic!


Salt

Salt is a random string you hash the password with which only you know and is secret. It's purpose is to defeat rainbow tables and precompiled lists of sha1 strings for straight comparison

Pepper

Pepper is a key unique to the user which it does not matter if it is known, it's only used to ensure if your database is stolen, passwords cannot be cracked in parallel. This basically means that if two users have the same password, the hashes will be different.

How I usually do it is something similar to this:

//get hashed password

$password = password_hash($password, $username);

define('asfjk")l430dsf90#;sadf&43589sf', 'MY_HASH');

function password_hash($str, $pepper,  $salt = MY_HASH){

  return sha1($str.$salt.$pepper);
}

PHP:

 

Hi there i tried this but it did not work

This is very useful yes but i think i am using sha1 but not salt. My login page is trying to connect to an exisiting database which has passwords already hashed from another script, i found that this was the sha1 hash i think that is being used:

$code = '';  
      for($x = 0; $x<6; $x++) {  
          $code .= '-'.substr(strtoupper(sha1(rand(0,999999999999999))),2,6);  
      }  
      $code = substr($code,1);  
      return $code

PHP:

I don't want to salt it yet, just want to be able to login and pass the sha1 via my script to log in, that's all. Then later i can think about salt and pepper...

I look forward to your reply.

 

Hmm I'm not entirely sure what that code snippet is meant to do, do you give it the password to the function as a parameter? It looks like it's meant for generating random hashes?

If you hash with a random int every time you only have a 1 in 999999999999999 chance the password will ever match

 

Ok basically its a script where when the user logs in they are taken to their secure '/loginusername' directory. This script works with plain password and the user is able to login to their own directory according to their login name. Their login names have folders in the directory. So when they login through this 1 script it recognises their login name and directs them to their folder only.

Now i tested it, i changed the passwords to two users to the same password and the hashed password is the same, so its not using salt just simple sha1 hashing by the looks of it.


I spent 1 whole weekend to get this to work but no luck! everything works just the login page....

 

The way hashed passwords work is that you hash the password the user gives you when he logs in, then you compare it to the hash stored in the database. You don't use random numbers.

SHA1 creates a 160 bit hash, so all your passwords should be 160 bits (20 characters) long.

Your code is close, except for 2 factors:

1) Check for empty login or empty password in the client. Don't even submit unless both are non-blank. (Check on the server too, in case someone calls the PHP page without going through your form.)

2) Change the code to

$err = false; // default error message is empty

// The username and password sent from login.php
//the isset() basically means if its there get it, otherwise dont bother

$loginusername = isset($_POST['bioname'] ? $loginusername=$_POST['bioname'] : '';
$loginpassword = isset($_POST['biopass'] ? $loginpassword=sha1($_POST['biopass']) : '';

// if either isnt filled in, tell the user, a very basic bit of validation

if (!$loginusername || !$loginpassword) $err = "please complete the form";
if (!$err) //if no error continue

{
    //The following bit of coding protects from MySQL injection attacks

    $loginusername = stripslashes($loginusername);
    $loginpassword = stripslashes($loginpassword);
    $loginusername = mysql_real_escape_string($loginusername);
    $loginpassword = mysql_real_escape_string($loginpassword);

    //you could add other things like check for text only blah blah

    $sql="SELECT * FROM $tbl WHERE bioname='$loginusername' and biopass='$loginpassword'";

PHP:

 

Thanks for this, i just checked and my password characters count is 30 for the hashed passwords.

Now i tried your above solution which looks a little more like the examples ives seen online, i think we're almost there but it returned the following error for line:

$loginusername = isset($_POST['bioname'] ? $loginusername=$_POST['bioname'] : '';
$loginpassword = isset($_POST['biopass'] ? $loginpassword=sha1($_POST['biopass']) : '';

PHP:

Parse error: syntax error, unexpected '?', expecting ',' or ')'

So i added the ')' before the '?' i get no errors but i am unable to login still.

 

Ok i discovered something else.

With my old method

if (isset($_POST['bioname'])) $loginusername=$_POST['bioname'];
if (isset($_POST['biopass']))$loginpassword=$_POST['biopass'];

PHP:

I was not able to login however if i had logged in with the actual hashed password then it would pass.

Your solution looks very close with the sha1 applied, this time even if i apply the actual hashed password i cannot get in.. it requires a small tweak somewhere i think.

 

Password are encrypted in DB with sha1 and not using salt or pepper, right?

 

I think so yes, just sha1.

If i set the same password for two users i see the same hash.

 

then simply change given password into sha1 and match it with DB password. Is it not cool?

 

Yes that is what i am trying to do. The password in the database is already sha1 hashed.

Now the question to you is. How do i implement the sha1 on the login page so when the user presses 'submit' it will recognise the password in the database allowing the user in?

 

try this

........
$loginpassword = sha1($loginpassword);
$sql="SELECT * FROM $tbl WHERE bioname='$loginusername' and biopass='$loginpassword'";
........

 

Nope this does not work... Unable to login.

 

can you explain a little brief of registration code?

 

Please see post #6

 

that means you did change all password into sha1 that sharing two or more users. right?

 

Ok maybe you did not understand what i am saying, let me clarify again.

1. The registration form is working fine.
2. When somebody registers their login name and password is stored in the database,
3. The password is stored with the sha1 encryption in the database.

Now i need to get my login page working so when the user puts in the password e.g. 'testpassword' it will be processed as sha1, matching with the password stored in database thus granting the user access.

 

ya, I got your problem, you want password must not same in DB even users are sharing same password. I thinks this will solve your problem
if($count == 0){
// check here with sha1 password
$loginpassword = sha1($loginpassword);
$sql="SELECT * FROM $tbl WHERE bioname='$loginusername' and biopass='$loginpassword'";
$result=mysql_query($sql);
if(mysql_num_rows($result)){
session_start();
$_SESSION['user'] = $loginusername; // store session data
header("Location: {$loginusername}/index.php3");
}
}
if($count==1){
session_start();
$_SESSION['user'] = $loginusername; // store session data
header("Location: {$loginusername}/index.php3");

}
hope will help you.