PHP, MySQL - My own version of SALT (I call salty) - Login Issue -

-

ok wrote own version of salt call salty lol don't make fun of me.. anyway registration part of script follows working 100% correctly. 

    //generate salty own version of salt , likes me salt.. lol     function rand_string( $length ) {         $chars = "abcdefghijklmnopqrstuwxyzabcdefghijklmnopqrstuwxyz1234567890";         $size = strlen( $chars );         for( $i = 0; $i < $length; $i++ ) {             $str .= $chars[ rand( 0, $size - 1 ) ];         }         return $str;     }      $salty = rand_string( 256 );      //generate salty pw      $password = crypt('password');     $hash = $password . $salty;     $newpass = $hash;      //insert data in database     include ('../../scripts/dbconnect.php');      //update db record salty pw ;)                                            // tested , without salty                                            //hence $password , $newpass     mysql_query("update `register` set `password` = '$password' `emailinput` = '$email'");     mysql_close($connect);

however login script failing. have setup test , echo if login or not. returns failed. entered db , changed crypted salty pw "test" , got success. problem somewhere in login script assume. not sure how implement $salty in this. advised without salty (just using crypt store pass) - still unable perform login successfully. , if you're gonna suggest use blowfish - note webhost doesn't have supported , don't know how install it.

here's login script:

if (isset($_post['formsubmitted']))  { include ('../../scripts/dbconnect.php');  $username = mysql_real_escape_string($_post['username']); $password = crypt(mysql_real_escape_string($_post['password']));  $qry = "select id register emailinput='$username' , password='$password'";  $result = mysql_query($qry);  if(mysql_num_rows($result) > 0)  {     echo 'success';     //start session } else {     echo 'failed';     //you not logged in      } }

  1. so what's wrong login? why isn't working using crypt/storing crypt?

  2. how can make work storing both crypt , randomly generated salty :) ?

ty advance

i make following tweaks code:

function rand_string( $length ) {     // added period , slash alphabet     $chars = "abcdefghijklmnopqrstuwxyzabcdefghijklmnopqrstuwxyz1234567890./";     $size = strlen( $chars );     for( $i = 0; $i < $length; $i++ ) {         $str .= $chars[ rand( 0, $size - 1 ) ];     }     return $str; }  // need 22 random characters $salty = rand_string(22); // apply blowfish cost := 13 $newpass = crypt($password, sprintf('$2y$%02d$%s', 13, $salty));

this uses blowfish hash password; takes 0.5s complete @ strength 13, depending on situation may want lessen it; cost can changed newer passwords.

the salt stored password btw, there's no need have column that.

to verify password database have first load password field respective register row.

if (crypt($_post['password'], $password_from_db) === $password_from_db) {     // success } else {     // password didn't match }

btw, comparison function turned constant time algorithm prevent timing attacks.

your salty() function can replaced following equivalent produce 22 char long salts:

substr(strtr(base64_encode(openssl_pseudo_random_bytes(18)), '+', '.'), 0, 22);

see also: https://wiki.php.net/rfc/password_hash


Comments

Post a Comment

Popular posts from this blog

c# - SVN Error : "svnadmin: E205000: Too many arguments" -

-
i trying reposotries using c# code process svncommand = null; var psi = new processstartinfo("svnadmin"); psi.redirectstandardoutput = true; psi.redirectstandarderror = true; psi.useshellexecute = false; psi.arguments= @"dump c:\repositories\myrepo > c:\temp\myrepodumpfile.dump"; using (svncommand = process.start(psi)) { var myoutput = svncommand.standardoutput; var myerror = svncommand.standarderror; debug.write("output :" + environment.newline + environment.newline + myoutput.readtoend() + environment.newline + "error :" + environment.newline + environment.newline + myerror.readtoend()); svncommand.close(); } when use dump command commandline svnadmin dump c:\repositories\myrepo > c:\temp\myrepodumpfile.dump it works fine when try ...
Read more

c++ - Using OpenSSL in a multi-threaded application -

-
i have been writing soap client application in c++ on ubuntu using openssl https transport , pthreads threading. have number of threads - 1 central data acquisition thread periodically gets worker threads make soap requests via shared mutex protected queues. reading documentation openssl found is openssl thread-safe? in openssl faq describes mechanisms required ensure thread safety when using openssl. implemented , works fine. the reason question conceptual difficulty really. thinking implementing same functionality application has already, instead of using threads, create 2 seperate applications : 1 worker thread (of multiple copies running) , main data acquisition thread. use tcp sockets communicate between 2 rather mutex protected queues. may bad idea not important - confusing me would have implement same functions required ensure openssl thread safety in second approach or not? my guess not have , treated independent (indeed surely must many applications use openssl) re...
Read more

All overlapping substrings matching a java regex -

-
is there api method returns (possibly overlapping) substrings match regular expression? for example, have text string: string t = 04/31 412-555-1235; , , have pattern: pattern p = new pattern("\\d\\d+"); matches strings of 2 or more characters. the matches are: 04, 31, 412, 555, 1235. how overlapping matches? i want code return: 04, 31, 41, 412, 12, 55, 555, 55, 12, 123, 1235, 23, 235, 35. theoretically should possible -- there obvious o(n^2) algorithm enumerates , checks substrings against pattern. edit rather enumerating substrings, safer use region(int start, int end) method in matcher . checking pattern against separate, extracted substring might change result of match (e.g. if there non-capturing group or word boundary check @ start/end of pattern). edit 2 actually, it's unclear whether region() expect zero-width matches. specification vague, , experiments yield disappointing results. for example: string line = "xx90xx"; strin...
Read more