PHP SHA256 and Salt won't work

Question

I'm trying to create passwords that are sha256 hashed with a $salt variable to it. But for some reason it just won't work. Been working 3 hours on this now, and I'm about to rip my head off. Here is my code:

I'll try again, sorry ;o)

Ok, my script worked fine, untill I tried to add the sha256 to the passwords. I got a file for creating users which is:

$salt = "lollol";  
$password = hash('sha256', $salt.$_POST['password']);  
$sql = ("INSERT INTO members (username, password, name, last_name,company)VALUES('$username', '$password', '$name', '$last_name', '$company')")or die(mysql_error());

if(mysql_query($sql))
    echo "Your accuont has been created.";

It seems like it's correctly added to the Database. I can see that it is getting hashed with some letters and numbers.

But then when I'm trying to login, it just won't.

My code for login.php is:

$sql= "SELECT * FROM members WHERE username='$username' and password='$password'";  
$result=mysql_query($sql);    
$row=mysql_fetch_array($result);  
$username = mysql_real_escape_string($_POST['username']);  
$password = $_POST['password'];  
$salt = "lollol";  
$auth_user = hash('sha256', $salt.$password);  
if($password == $salt.$auth_user){  
    echo "Logged in";  
} else {  
    echo "Not logged in";  
}  

I got the idea of that, I have to encrypt password when I want to log in, but im not sure. I hope that some of you can help me.

Answer 1

It is worth checking that the field length in the database is big enough to store the whole hashed password without truncating it. You will never get a password match when logging in if the stored password is has the end missing.

Answer 2

When trying to login you concatenate the hash with the salt once more

$auth_user = hash('sha256', $salt.$password);
if($password == $salt.$auth_user){ // <-- $salt once more
  echo "Logged in";
} else {
  echo "Not logged in";
}

It should work, if you just remove it

$auth_user = hash('sha256', $salt.$password);
if($password == $auth_user){
  echo "Logged in";
} else {
  echo "Not logged in";
}

Update: Going further

here

$sql= "SELECT * FROM members WHERE username='$username' and password='$password'";

You try to retrieve the row, where the username matches $username and the password matches $password. In the database the passwords are already hashed (and $password seems to be not defined at all), thus this query will never return any row.

$password = hash('sha256', $salt.$_POST['password']);
$username = mysql_real_escape_string($_POST['username']);
$sql= "SELECT * FROM members WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

$result should now contain the only user that matches the given credentials. Its now very easy

if (mysql_num_rows($result) === 1) {
  echo "Logged in";
} else {
  echo "Not logged in";
}

Answer 3

$password = $_POST['password'];

// This should be the users actual salt after you've found the user
// in the database by username or email, or other means
$salt = $users_stored_salt;

// This should be the exact method you use to salt passwords on creation
// Consider creating a functon for it, you must use the same salt
// on creation and on validation
$hashed_password = hash('sha256', $salt.$password.$salt);

// This is the user's hashed password, as stored in the database
$stored_password = $users_stored_password;

// We compare the two strings, as they should be the same if given the
// same input and hashed the same way
if ($stored_password === $hashed_password){
    echo "Logged in";
} else {
    echo "Not logged in";
}

Missed your edit, but hope this helps.

EDIT: I see you aren't storing unique hashes.

If you are looking up the user by password, you need to hash the password in your query the same way it was stored:

$salt = $your_salt;

$hashed_password = hash('sha256', $salt.$_POST['password']);

$sql= "SELECT * FROM members WHERE username='$username' and password='$hashed_password'";  

Otherwise, you could look up by unique username (not by password) and just compare the hashed input to the value of the stored password.

I'm very confused right now. How should my login_ac.php look like, if I should make it with the code I gave you in the top?

Just change the query to lookup by hashed password (the way you stored it).

$sql= "SELECT * FROM members WHERE username='$username' and password='".hash('sha256', $salt.$_POST['password'])."'";  

You can remove the other validation and hashing - if you found the user then you know the input is valid.

Note that this only works when you know the way you're hashing the input is the exact same way you hashed the password upon creation.

Answer 4

You're storing an encrypted password, but your select query is looking for the unencrypted password.

Just get the matching username (without a password condition) - usernames are unique, right?:

$sql= "SELECT * FROM members WHERE username='$username'";  
$result=mysql_query($sql);    
$row=mysql_fetch_array($result);  
$username = mysql_real_escape_string($_POST['username']);  
$password = $_POST['password'];  
$salt = "lollol";  
$auth_user = hash('sha256', $salt.$password);  
if($row["password"] == $auth_user){  
    echo "Logged in";  
} else {  
    echo "Not logged in";  
}