I am just begining to learn php and have decided to put my self up to the challenge of coding a register and login script.
I am unsure of how to continue. Now, before you go searching through my code... Please don't be the guy that goes on a ramble about sql injection and bobby tables. I understand it, yet am not currently looking at it.
Anyways, I encrypted the password with whirlpool and a salt. Currently the salt is static, not sure how to implement one with the Time() function and not defeating the purpose by locating it in the database. The issue I am trying to solve is how to check if the user inputted a username and password that matches the username and HASHED password.
Here is my current code, I am assuming the most important pieces will be in the login.php file.
<?php
//connect.php
$connection = mysql_connect("localhost","root","") or die("Couldn't connect to database");
mysql_select_db("test", $connection);
?>
<?php
//index.php
include 'connect.php';
define('salt','7hPqMO(m=F+!!L6(#Yhp-CdF, &Q}+cIrA;c@wcP(E--V<qRmq!v*aSnM;H=4cD0');
if(isset($_POST['username']) && isset($_POST['fullname']) && isset($_POST['email']) && isset($_POST['password'])) {
$username = mysql_real_escape_string($_POST['username']);
$fullname = mysql_real_escape_string($_POST['fullname']);
$email = mysql_real_escape_string($_POST['email']);
$password = mysql_real_escape_string($_POST['password']);
$encryptedPassword = hash( 'whirlpool',salt.$password );
$sql="INSERT INTO `users` (username, fullname, email, password)
VALUES
('$username', '$fullname','$email','$encryptedPassword')";
if(!mysql_query($sql,$connection)) {
die('Error: ' . mysql_error());
} else {
mysql_close($connection);
header('Location: login.php?redirectedFromRegister=1');
}
}
?>
<html>
<body>
<form action="index.php" method="post">
<h1>REGISTER</h1><hr/>
Email: <input type="text" name="email"/><br/>
Full Name:<input type="text" name="fullname"/><br/>
Username: <input type="text" name="username"/><br/>
Password: <input type="password" name="password"/><br/>
<input type="submit" value="REGISTER"/>
</form>
</body>
</html>
<?php
//login.php
include 'connect.php';
if(isset($_GET['redirectedFromRegister'])==1) {
echo 'Thank you for registering, you may now login';
} else {
echo '<h1>LOGIN</h1>';
}
?>
<html>
<body>
<form action="index.php" method="post">
Username: <input type="text" name="username"/><br/>
Password: <input type="password" name="password"/><br/>
<input type="submit" value="LOGIN"/>
</form>
</body>
</html>
Really this question is probably simple, but I thought I would include my current code so people can learn something of it.
How do you decrypt a hashed password given the salt or whatever. Like I've said, I am not sure how it's done.
My database information, if you didn't see it in the connect.php file is:
Database : Localhost
Username : Root
Password : ""
Table : users
Table layout :
------------------------------------------------------------------
| Id | Username | Password | Email | Fullname |
------------------------------------------------------------------
| 1 |BobbyTables | HASHED_PASS|[email protected] | Max Mastalerz |
| 2 | SteveJo | HASHED_PASS|[email protected]| Steve Jobs |
| 3 | MarkZuck | HASHES_PASS|[email protected] | Mark Zuckerberg|
------------------------------------------------------------------
The codes are also easily available as a pastebin here:
Connect.php : http://pastebin.com/8ft12kG5
Index.php : http://pastebin.com/TqrJhzdu
login.php : http://pastebin.com/9fR3HJhe
The general idea of salted hashes is that you generate a per-user salt, append it to the password and store the salt along with the salted+hashed password in the database.
When the user logs in you lookup the salt for their username, append it to the password that they input, hash that together and compare it with the hash stored in the database.
If you really, really insist on having a single salt for all users you can just append your global salt to the password that the user input and compare that with the hash that you've stored.