Hello,
This first code chunk is how I am hashing and storing passwords of new members signing up:
[php]if(!$error) {
$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
$rand = str_shuffle($alpha);
$salt = substr($rand,0,40);
$hashed_password = sha1($salt . $_POST['password']);
$query = "INSERT INTO `Users` (
`FirstName`,
`LastName`,
`Email`,
`Password`,
`salt`,
`RelationshipToCF`,
`State`,
`Gender`,
`Birthday`,
`Status`
)VALUES(
'" . mysql_real_escape_string($_POST['firstName']) . "',
'" . mysql_real_escape_string($_POST['lastName']) . "',
'" . mysql_real_escape_string($_POST['email']) . "',
'" . $hashed_password . "',
'" . $salt . "',
'" . mysql_real_escape_string($_POST['RelationToCF']) . "',
'" . mysql_real_escape_string($_POST['State']) . "',
'" . mysql_real_escape_string($_POST['sex']) . "',
'" . mysql_real_escape_string($_POST['DateOfBirth_Year'] . "-" . $_POST['DateOfBirth_Month'] . "-" . $_POST['DateOfBirth_Day']) . "',
'pending'
)";
mysql_query($query, $connection);
[/php]
This second code chunk is how I am updating existing users passwords:
/* 1: find all the users in the database */
$query = "SELECT * FROM Users
";
$request = mysql_query($query,$connection);
/* 2: loop through each user :done */
while($result = mysql_fetch_array($request)) {
/* 3:create a random salt, save random salt to user's row */
$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
$rand = str_shuffle($alpha);
$salt = substr($rand,0,40);
$hashed_password = sha1($salt . $result['Password']);
$user = $result['id'];
/* 4: use user's random salt to hash user's original password */
$query2 = "UPDATE `cysticUsers` SET `salt` = '$salt' WHERE `id` = '$user'";
$request2 = mysql_query($query2,$connection) or die(mysql_error());
/* 5: save the hashed version to their row */
$query3 = "UPDATE `cysticUsers` SET `Password` = '$hashed_password' WHERE `id` = '$user'";
$request3 = mysql_query($query3,$connection) or die(mysql_error());
}
And finally, the one I am having GREAT trouble getting to work. I am trying to allow them to sign in with their clear text password and am failing
$salty_password = sha1($row[‘salt’], $_POST[‘password’]);
[php]if(isset($_POST[‘subSignIn’]) && !empty($_POST[‘email’]) && !empty($_POST[‘password’])) {
$query = "SELECT `salt` FROM `Users` WHERE `Email` = '" . $_POST['email'] . "'";
$request = mysql_query($query,$connection) or die(mysql_error());
$result = mysql_fetch_array($request);
$query2 = "SELECT * FROM `Users` WHERE `Email` = '". $_POST['email']."' AND `Password` = '$salty_password'";
$request2 = mysql_query($query2,$connection) or die(mysql_error());
$result = mysql_fetch_array($request2);
echo $result['id'];
if(@mysql_num_rows($request,$request2)) {
$_SESSION['CLIFE']['AUTH'] = true;
$_SESSION['CLIFE']['ID'] = $result['id'];
// UPDATE LAST ACTIVITY FOR USER
$query = "UPDATE `Users` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1";
mysql_query($query,$connection);
if(!empty($_POST['return'])) {
header("Location: " . $_POST['return']);
}else{
header("Location: Dashboard.php?id=" . $_SESSION['CLIFE']['ID']);
}
}
}else{
$_SESSION['CLIFE']['AUTH'] = false;
$_SESSION['CLIFE']['ID'] = false;
}
?>
[/php]
I feel like I am REALLY close. Thank you so much in advance.