Can't get password encryption to work PHP

Question

I have been messing around with password encryption in PHP and at first I was using the MD5 function to save the passwords in a database, but I ran into trouble logging in. I then tried the hash function and again I had trouble logging in.

The way I was attempting to do this was to have the password encrypted when the account is made, and then every time someone logs in, the password is encrypted again using the same method and then this checks the database to see if the encrypted passwords match. I can create an account fine and it seems that whenever I create an account with the same password, the hashes are the same so I am assuming that they don't change each time (I have little knowledge on encryption and hashes).

This is my current new user creation snippet:

<?php

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "NewUser")) {
  $insertSQL = sprintf("INSERT INTO users (username, password, name) VALUES (%s, %s, %s)",
                       GetSQLValueString($_POST['username'], "text"),
                       GetSQLValueString(hash("sha512",$_POST['password']), "text"),
                       GetSQLValueString($_POST['name'], "text"));

  mysql_select_db($database_ReallyGoodPieConnection, $ReallyGoodPieConnection);
  $Result1 = mysql_query($insertSQL, $ReallyGoodPieConnection) or die(mysql_error());

?>

And this is my login snippet:

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];
  $password = hash("sha512", $password);
  print $password;
  $MM_fldUserAuthorization = "permissions";
  $MM_redirectLoginSuccess = "index.php";
  $MM_redirectLoginFailed = "login.php";
  $MM_redirecttoReferrer = true;
  mysql_select_db($database_ReallyGoodPieConnection, $ReallyGoodPieConnection);

  $LoginRS__query=sprintf("SELECT username, password FROM users WHERE username=%s AND password=%s",
    GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")

Can anyone help me understand why the actual login is failing. I am using the exact same password for creation and login (obviously) and using the same encryption methods. This is really confusing me.

Answer 1

You might want to take a look at this. Instead of using sprintf(); try to use:

$insertSQL = "INSERT INTO users (username, password, name) 
VALUES ('".GetSQLValueString($_POST['username'], "text")."',
'".GetSQLValueString(hash("sha512",$_POST['password']),"text")."',
'".GetSQLValueString($_POST['name'], "text")."')";

Now check if you have successfully inserted the values.

I strongly suggest that you use mysqli_* or PDO.

Answer 2

First, as i commented on your question, Secure hash and salt for PHP passwords have a lot of relevant information.

To extract some kind of "start here and do this":

It is very easy to use PHPass and there is a simple and easy-to-follow tutorial Here

Answer 3

"I can create an account fine and it seems that whenever I create an account with the same password, the hashes are the same so I am assuming that they don't change each time"

Of course it has to be like that. It would be a bad thing if the encrypted hash for the same string would be change everytime, wouldn't it? :)

Users wouldn't be able to use their password more than one time then. It's completely okay.

Also consider salting your password. That means: generate a random hash and store it in your database with the user.

When logging in you're not only check against the password hash, but also against the salt.

That'll improve security a lot more.