Reputation: 4402
How to validate password hash using a custom sh1 encryption and a custom salt in Yii 2.0?
Below is my account credentials.
id username password salt status
1 test qepoihadfnkdsgbkajb1358139jbdf 35asf24s 1
Below is my sql query what I would like to execute.
$sql = "SELECT * FROM user WHERE username = :username AND password = 'SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1(':password')))))' AND status = :status";
Below is my code snippet to retrieve the user record.
$this->_user = User::findBySql($sql, [
':username' => $this->username,
':password' => $this->password,
':status' => 1,
])->one();
The above code returns null. It seems like it cannot encrypt the entered password to compare with the password hash. Thus, I have tried the following code.
$this->_user = User::find()->where("username = :username AND (password = 'SHA1(CONCAT(salt, SHA1(CONCAT(salt, SHA1(':password')))))' OR password = '" . md5(":password") . "') AND status = :status")
->addParams([
':username' => $this->username,
':password' => $this->password,
':status' => 1,
])->one();
This also returns null as result. How can I encrypt the entered password using custom salt to compare with the password hash and return the record? Even I am working with Yii 2 but I do not want to use Yii manner to log the user in because of some technical requirements.
Upvotes: 2
Views: 682
Answers (2)
Reputation: 24131
This is the wrong way to check a password. It is not possible to verify a password inside an SQL statement, because of the salt which is hopefully applied. Also it is unsecure to use SHA-1 to store passwords, because this algorithm is ways too fast and can be brute-forced easily.
Instead you can do a query with only the username. If a row could be found, you can read and verify the password hash:
$sql = "SELECT * FROM user WHERE username = :username AND status = :status";
The Yii framework offers helper functions to generate and verify password hashes. This documentation may get you started. An alternative is to call the PHP functions password_hash() and password_verify() directly.
Upvotes: 0
Reputation: 2012
Don't use findBySql if you don't have specific reason. You loose abstractions.
'" . md5(":password") . "' is also bad and wrong: you hashed not sql request, but string :password.
Look this code:
$query = User::find()->where('password_hash = SHA1(:password)', [
':password' => 'password'
]);
$sql = $query->createCommand()->getRawSql();
$user = $query->one();
Use getRawSql for debug your request. You always can see what sended to sql server.
Upvotes: 1
Related Questions
- Secure hash and salt for PHP passwords
- Salt and hash a password in Python
- How can I hash a password in Java?
- Best Practices: Salting & peppering passwords?
- SHA1 vs md5 vs SHA256: which to use for a PHP login?
- How to salt and hash a password value using c#?
- Is "double hashing" a password less secure than just hashing it once?
- How Yii 2 get and use salt and cost to verify the password hash during the login process?
- How does password salt increase security
- Pitfalls of encrypting (with salt) of a md5-hashed-password (php)