problem with passwords using sha256

Question

I am playing around with password encryptions and i am having some trouble when I write the password into database and when I ry to log in to the page.

When I insert the password:

$pword = "huuhaa";
$uname = "huuhaa";

$pword = hash('sha256' ,'$pword');
    $insuser="INSERT INTO words(username,password) VALUES('$uname','$pword') ";

$insresult=mysql_query($insuser);

In the log in:

$myusername= 'huuhaa';

$mypassword = 'huuhaa';


$mypasswordCRYPTED = hash('sha256' ,'$mypassword');


$sql="SELECT userid FROM words WHERE username='$myusername' and password='$mypasswordCRYPTED'";

LOG IN:

the value in database is different from the value in login eg. $pword in database: e5f252f... And in log in: $mypasswordCRYPTED = as89dw....

Would someone please explain this to me?

Thank you

Answer 1

You are hashing the string '$mypassword', try changing it to $mypassword and changing '$pword' to $pword.

Answer 2

change

$pword = hash('sha256' ,'$pword');

to

$pword = hash('sha256' ,$pword);

because that first one recognizes your password as $pword

and the same thing with second variable

$mypasswordCRYPTED = hash('sha256' ,'$mypassword');

to

$mypasswordCRYPTED = hash('sha256' ,$mypassword);

Answer 3

Don't you want:

$pword = hash('sha256', $pword);

and

$mypasswordCRYPTED = hash('sha256', $mypassword);

i.e. the variable rather than the string '$pword'? It would have worked with "$pword" using double quotes to get PHP to perform string interpolation, but it's a lot clearer just to use the variable itself as the function argument.

So basically you were comparing the hashes of the string '$pword' and '$mypassword' - which unsurprisingly aren't the same :)