HI there, First thing I would like to point out is I’m new to the forum so thanks so much for taking the time to read this. Second I have searched the forum with no luck, however, if you know of a topic that covers this issue I would be more than happy to read it 
just let me know.
ok so here’s the overview;
I am making a database driven website with user accounts and such and security is a high priority. I am trying to get user registration and login to work together correctly with mysql injection protection, and password hashing.
The problem, I create a user with my user registration script and everything goes into the database fantastically, however, when I use my login script to login it rejects the hashed password. I am not using md5() or just straight sha1() I am using the following functions
[php]
define(‘SALT_LENGTH’,10);
//plain text is the user entered password
function generateHash($plainText, $salt = null)
{
if ($salt === null)
{
$salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
}
else
{
$salt = substr($salt, 0, SALT_LENGTH);
}
return $salt . sha1($salt . $plainText);
}
[/php]
I am using the following function to handle escaping my user input ($_POST etc.)
[php]
//unclean_array is the $_POST
function stopHackers($unclean_array)
{
foreach($unclean_array as $key => $item)
{
$cleansed_item = stripslashes($item);
$cleansed_item = mysql_real_escape_string($cleansed_item);
$cleansed_array[$key] = $cleansed_item;
}
//cleansed array is the return array while the “cleansed values”
return $cleansed_array;
}
[/php]
here is the login page
[php]
session_start();
// username and password sent from form
$login_array = array($_POST[‘email’], $_POST[‘password’]);
$clean_login_array = stopHackers($login_array);
$email = $clean_login_array[0];
$mypassword = $clean_login_array[1];
// BEGIN PASSWORD DECRYPTION
$salt_find = “SELECT salt, email FROM users WHERE email=’”.$email."’";
$salt_result = mysql_query($salt_find);
$salt_row = mysql_fetch_row($salt_result);
$salt = $salt_row[0];
$mypassword = generateHash($mypassword,$salt);
$sql=“SELECT id, email, password FROM users WHERE email=’”.$email."’ and password=’".$mypassword."’";
$result = mysql_query($sql);
// Mysql_num_row is counting table row
$count = mysql_num_rows($result);
// If result matched $email and $mypassword, table row must be 1 row
if($count==1){
$_SESSION[‘email’] = $email;
header(“Location: …/index.php”);
}
else {
echo "Wrong Username or Password
Email: “.$email.”
Password: “.$mypassword.”
";
}
[/php]
and here is my registration page
[php]
session_start();
//mysql injection protection function
$clean_array = stopHackers($_POST);
//cleansed information stored in variables for use by MySQL
$email = $clean_array[‘reg_email’];
$password = $clean_array[‘password’];
$confirm_pass = $clean_array[‘confirm’];
$first_name = $clean_array[‘f_name’];
$last_name = $clean_array[‘l_name’];
$address = $clean_array[‘address’];
$city = $clean_array[‘city’];
$province = $clean_array[‘prov’];
$postal_code = $clean_array[‘postal’];
//hash for security purposes
$password = generateHash($password);
$salt = substr($password,0,SALT_LENGTH);
$insert_query = "
INSERT INTO users(id,first_name,last_name,email,password,salt,address,city,province,postal_code)
values(’’,’$first_name’,’$last_name’,’$email’,’$password’,’$salt’,’$address’,’$city’,’$province’,’$postal_code’)
";
//print $insert_query.’
‘.$password.’
’.$salt;
$result = mysql_query($insert_query);
if($result)
{
$_SESSION[‘email’] = $email;
header(“Location: …/index.php”);
}
else
{
// this line is for debugging purposes and will be replaced with a user friendly error message
print $insert_query ."
".mysql_error();
}
[/php]
so basically what happens is the registration page creates one hash and the login creates a different one. not sure where the problem is beside the fact that it started AFTER implementing the stopHackers() but that part worked when i was storing plain text passwords on the server and the entire system works flawlessly without stopHackers() or generateHash().
running WAMP on windows XP SP3, Apache 2.2, PHP 5.3.5 and MySQL 5.5
Thanks in advance so much for any help!