Changing password problems in PHP

Question

I am implementing a password change function in my android application and i coded the password hashing in my php file. User are able to change the password and the password are store in the database. When i try to log in with the email and the new password, it tell me incorrect password. Where did i do wrong for my php file?

This is my php file code:

<?php

// array for JSON response
$response = array();

function hashSSHA($newpassword) {
    $salt = mhash('sha512', rand());
    $salt = substr($salt, 0, 15);
    $encrypted = hash('sha512', $newpassword . $salt, true) . $salt;
    $hash = array("salt" => $salt, "encrypted" => $encrypted);
    return $hash;
}

// check for required fields
if (isset($_POST['email']) && isset($_POST['newpassword'])) {
    $email = $_POST['email'];
    $newpassword = $_POST['newpassword'];

    // include db connect class
    require_once __DIR__ . '/db_connect.php';

    // connecting to db
    $db = new DB_CONNECT();

    // TESTING HERE FOR STORING NEW PASSWORD INTO DATABASE
    $hash = hashSSHA($newpassword);
    $encrypted_password = $hash["encrypted"]; // encrypted password
    $salt = $hash["salt"]; // salt

    $result = mysql_query("UPDATE users SET encrypted_password = '$encrypted_password', salt = '$salt' WHERE email = '$email'");

    // check if row inserted or not
    if ($result) {
        // successfully updated
        $response["success"] = 1;
        $response["message"] = "Password successfully changed";

        // echoing JSON response
        echo json_encode($response);
    } else {
        $response["success"] = 0;
        $response["message"] = "Password change failed";
        echo json_encode($response);
    }
} else {
    // required field is missing
    $response["success"] = 0;
    $response["message"] = "Required field(s) is missing";

    // echoing JSON response
    echo json_encode($response);
}
?>

EDIT THis is my decrypt function

// DECRYPTING user currentpassword
function checkhashSSHA($salt, $currentpassword) {

$hash = hash('sha512', $currentpassword . $salt, true) . $salt;
return $hash;
} 

Answer 1

There are quite a lot of problems in your code.

First of all, SHA512 is not a good choice to hash passwords, because it is too fast. Bcrypt was designed especially to hash passwords, and is therefore slow (needs computing time). It's recommended to use a well established library like phpass, and if you want to understand how to implement it, you can read this article, where i tried to explain the most important points.

1) The first problem in your code probably is, that mhash() produces binary output for your salt. I don't know why you append it to your password-hash (that's not the way a salt should be applied), but the variable $encrypted will contain binary data afterwards.

2) This leads to the second problem, you insert the variable into your update statement. Inserting binary data into the sql will lead to an invalid statement. You should always escape data, before you add it to an sql statement, in your case use mysql_escape_string().

3) The next problem is, that the mysql_* functions are deprecated, instead use mysqli or PDO for database access.

4) Another problem we have already encountered in problem 2 is, that without escaping your data, you are vulnerable to SQL-Injection attacks. Imagine what somebody can do with this user input...

WHERE email = 'abc' OR email <> ''

...he could reset the password for all users at once!

That said, i really advise, that you reconsider to use Bcrypt.