SIGNING IN with hashed and salted password

General PHP Help
#1

Hello,

This first code chunk is how I am hashing and storing passwords of new members signing up:

[php]if(!$error) {
	
	$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
	$rand = str_shuffle($alpha);
	$salt = substr($rand,0,40);
	$hashed_password = sha1($salt . $_POST['password']);
	
	$query = "INSERT INTO `Users` (
								`FirstName`,
								`LastName`,
								`Email`,
								`Password`,
								`salt`,
								`RelationshipToCF`,
								`State`,
								`Gender`,
								`Birthday`,
								`Status`
							)VALUES(
								'" . mysql_real_escape_string($_POST['firstName']) . "',
								'" . mysql_real_escape_string($_POST['lastName']) . "',
								'" . mysql_real_escape_string($_POST['email']) . "',
								'" . $hashed_password . "',
								'" . $salt . "',
								'" . mysql_real_escape_string($_POST['RelationToCF']) . "',
								'" . mysql_real_escape_string($_POST['State']) . "',
								'" . mysql_real_escape_string($_POST['sex']) . "',
								'" . mysql_real_escape_string($_POST['DateOfBirth_Year'] . "-" . $_POST['DateOfBirth_Month'] . "-" . $_POST['DateOfBirth_Day']) . "',
								'pending'
							)";
	mysql_query($query, $connection);
						[/php]

This second code chunk is how I am updating existing users passwords:

/* 1: find all the users in the database */
$query = "SELECT * FROM Users";
$request = mysql_query($query,$connection);

	/* 2: loop through each user :done */
	while($result = mysql_fetch_array($request)) {
		
	/* 3:create a random salt, save random salt to user's row */
	$alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
	$rand = str_shuffle($alpha);
	$salt = substr($rand,0,40);
	$hashed_password = sha1($salt . $result['Password']);
	$user = $result['id'];
	
	/* 4: use user's random salt to hash user's original password */
	$query2 = "UPDATE `cysticUsers` SET `salt` = '$salt' WHERE `id` = '$user'";
	$request2 = mysql_query($query2,$connection) or die(mysql_error());
	
	/* 5: save the hashed version to their row */
	$query3 = "UPDATE `cysticUsers` SET `Password` = '$hashed_password' WHERE `id` = '$user'";
	$request3 = mysql_query($query3,$connection) or die(mysql_error());
									
	}

And finally, the one I am having GREAT trouble getting to work. I am trying to allow them to sign in with their clear text password and am failing :frowning:

$salty_password = sha1($row[‘salt’], $_POST[‘password’]);

[php]if(isset($_POST[‘subSignIn’]) && !empty($_POST[‘email’]) && !empty($_POST[‘password’])) {

$query =  "SELECT `salt` FROM `Users` WHERE `Email` = '" . $_POST['email'] . "'";
$request = mysql_query($query,$connection) or die(mysql_error());
$result = mysql_fetch_array($request);



$query2 = "SELECT * FROM `Users` WHERE `Email` = '". $_POST['email']."' AND `Password` = '$salty_password'";
$request2 = mysql_query($query2,$connection) or die(mysql_error());
$result = mysql_fetch_array($request2);

echo $result['id'];

if(@mysql_num_rows($request,$request2)) {

	$_SESSION['CLIFE']['AUTH'] = true;
	$_SESSION['CLIFE']['ID'] = $result['id'];
	
	// UPDATE LAST ACTIVITY FOR USER
	$query = "UPDATE `Users` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1";
	mysql_query($query,$connection);

	
	if(!empty($_POST['return'])) {
		header("Location: " . $_POST['return']);
	
	}else{
		header("Location: Dashboard.php?id=" . $_SESSION['CLIFE']['ID']);
		}
	}
	
}else{

	$_SESSION['CLIFE']['AUTH'] = false;
	$_SESSION['CLIFE']['ID'] = false;

}

?>
[/php]

I feel like I am REALLY close. Thank you so much in advance.

Sponsor our Newsletter | Privacy Policy | Terms of Service