Home/ Questions/Q 6884907
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T05:34:05+00:00

For clarification, I am essentially re-writing this question. I have a table, as defined

  • 0

For clarification, I am essentially re-writing this question.

I have a table, as defined below:

CREATE TABLE IF NOT EXISTS `user` (
  `userid` int(11) NOT NULL AUTO_INCREMENT,
  `name` varchar(255) NOT NULL,
  `email` varchar(255) NOT NULL,
  `status` enum('banned','moderated','user','author','moderator','admin','owner') NOT NULL DEFAULT 'user',
  `password` char(128) NOT NULL,
  `salt` char(128) NOT NULL,
  `description` text,
  PRIMARY KEY (`userid`),
  UNIQUE KEY `email` (`email`),
  UNIQUE KEY `name` (`name`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=4 ;

The table dump — with e-mail field redacted — is:

--
-- Dumping data for table `user`
--

INSERT INTO `user` (`userid`, `name`, `email`, `status`, `password`, `salt`, `description`) VALUES
(1, 'Rilbur Skryler', '', 'owner', '2008dff1d727007691867904af3a96677ec81847ff943470a9596b184ffdb8b0de03e6fa68d9a6cb03170bff78d8d50f703bcec9120727b9eee5dbceeb1bc26e', '5647f4d6165a42a17d1ac6a46f13dc11d4a3d8d4fcd7b16f88f0fecc659bd1a9ddd1cb79002a8b1ab9daf4da549dd2e516806cc4603dd20cbdde175bd5961049', 'Site owner and administrator'),
(2, 'Zacky', '', 'author', 'e7a10ef6b58734093286bb7ebba65b8dd36c1cc18bc59f16a6e05760230f228fbb0464131b6c1e4768e26792e9194f43d78c277eb7ac86775f9b46bbe4d9dde2', 'f42029a7c657e3998443ca1f1043202f8431fba3ec9471e389752e3e83c790d6193292678a5878dd45ba6d7496521bf8ecd6e469455d4c34d95b36495691941a', 'Wacky!'),
(3, 'Roland', '', 'author', 'e7a10ef6b58734093286bb7ebba65b8dd36c1cc18bc59f16a6e05760230f228fbb0464131b6c1e4768e26792e9194f43d78c277eb7ac86775f9b46bbe4d9dde2', 'f42029a7c657e3998443ca1f1043202f8431fba3ec9471e389752e3e83c790d6193292678a5878dd45ba6d7496521bf8ecd6e469455d4c34d95b36495691941a', 'Involuntary addition.');

The actual PHP code (with added comments) is:

$query="select ".db_prefix."user.salt, ".db_prefix."user.password from ".db_prefix."user where ".db_prefix."user.userid=:id";
echo $query.$id;//generates: select user.salt, user.password from user where user.userid=:id
$statement=$db->prepare($query);
$statement->execute(array('id'=>$id));
if($row=$statement->fetch())
{
    $salt=$row[0];//row[0] is filled with a randomized result as shown two lines down
    var_dump($row);
    echo "pre one: $salt\r\n";//I'm outputting the value of the salt, which appears to be randomly generated.
    echo "one";
    $passwordsalt=generateValueFromPasswordAndSalt($password, $salt);//Used to call the routine that generates a value from the combination of a password string and the salt.
    return $passwordsalt==$row[1];//This always returns 'false' because the stored password value never matches the generated value, as a result of the salt being the wrong string.
}

This problem has been driving me batty. The value retrieved for the salt appears to be randomly generated (I say ‘appears’ because I know it shouldn’t be random, I have to be missing something). Various changes, such as reversing the salt and password values in the query or replacing them with a select * resolve the problem. That’s great, but I don’t understand why they solve it, so I don’t trust them. (Plus, I want to learn why it’s happening so I can avoid it in the future)

If it matters, I’m using a PDO database object initialized as follows:

function get_DB()
{
    static $db;
    if(isset ($db))
    {
        return $db;
    }
    else
    {
        try{
        $dsn = "mysql:host=".db_host.";dbname=".db_name;
        $db = new PDO($dsn, updater_login, updater_password);
        return $db;
        }
        catch(PDOException $e)
        {
            //echo $e->getMessage();
            return NULL;
        }
    }
}

Randomly returned salt values include:

9ed1358ccb614ee86f17a3cc964caaad3ab8ede7d705960aac2d5f4448c0f85d0acf581e2225d567789ac2f678b6a6662e4e7a8e55efb0d92be903249c44af7f

6feff9b576ba0b0aa5e3d61996e723ddc4bdc3e7777469409b4da095aae6fb9a6df84fdaa96029a27e07714c670d18c2b8707453e515a3632383b6b03925b04b

60fdc33fa77029f4627c39558417b1bb492a02d8cd56571b3091aff2123ee5545c5717a6a7c0553c7c659864e947f28c65627f3d288c51ef6c9b6de3f5175417

PHP output:

Run One:

select user.salt, user.password from user where user.userid=:id1<pre class='xdebug-var-dump' dir='ltr'>
<b>array</b>
  'salt' <font color='#888a85'>=&gt;</font> <small>string</small> <font color='#cc0000'>'15316153f3206618917cf7319747eda5871a7b8e942b54dba6f42e8bc491197450285504a37eb825e6aff04871fde52c49e029cf7e3a1d8cb9fe8a0422f4cd03'</font> <i>(length=128)</i>
  0 <font color='#888a85'>=&gt;</font> <small>string</small> <font color='#cc0000'>'15316153f3206618917cf7319747eda5871a7b8e942b54dba6f42e8bc491197450285504a37eb825e6aff04871fde52c49e029cf7e3a1d8cb9fe8a0422f4cd03'</font> <i>(length=128)</i>
  'password' <font color='#888a85'>=&gt;</font> <small>string</small> <font color='#cc0000'>'a0d2c6b1bf7163f85738627ffbfd5bd343e9bdaf0b98f00f63f020abac398df426d01f1bdcd8a46771af881640a4210b536cc89b7cea91637d7db705e64144cc'</font> <i>(length=128)</i>
  1 <font color='#888a85'>=&gt;</font> <small>string</small> <font color='#cc0000'>'a0d2c6b1bf7163f85738627ffbfd5bd343e9bdaf0b98f00f63f020abac398df426d01f1bdcd8a46771af881640a4210b536cc89b7cea91637d7db705e64144cc'</font> <i>(length=128)</i>
</pre>pre one: 15316153f3206618917cf7319747eda5871a7b8e942b54dba6f42e8bc491197450285504a37eb825e6aff04871fde52c49e029cf7e3a1d8cb9fe8a0422f4cd03

one

Run Two:

select user.salt, user.password from user where user.userid=:id1<pre class='xdebug-var-dump' dir='ltr'>
<b>array</b>
  'salt' <font color='#888a85'>=&gt;</font> <small>string</small> <font color='#cc0000'>'5647f4d6165a42a17d1ac6a46f13dc11d4a3d8d4fcd7b16f88f0fecc659bd1a9ddd1cb79002a8b1ab9daf4da549dd2e516806cc4603dd20cbdde175bd5961049'</font> <i>(length=128)</i>
  0 <font color='#888a85'>=&gt;</font> <small>string</small> <font color='#cc0000'>'5647f4d6165a42a17d1ac6a46f13dc11d4a3d8d4fcd7b16f88f0fecc659bd1a9ddd1cb79002a8b1ab9daf4da549dd2e516806cc4603dd20cbdde175bd5961049'</font> <i>(length=128)</i>
  'password' <font color='#888a85'>=&gt;</font> <small>string</small> <font color='#cc0000'>'2008dff1d727007691867904af3a96677ec81847ff943470a9596b184ffdb8b0de03e6fa68d9a6cb03170bff78d8d50f703bcec9120727b9eee5dbceeb1bc26e'</font> <i>(length=128)</i>
  1 <font color='#888a85'>=&gt;</font> <small>string</small> <font color='#cc0000'>'2008dff1d727007691867904af3a96677ec81847ff943470a9596b184ffdb8b0de03e6fa68d9a6cb03170bff78d8d50f703bcec9120727b9eee5dbceeb1bc26e'</font> <i>(length=128)</i>
</pre>pre one: 5647f4d6165a42a17d1ac6a46f13dc11d4a3d8d4fcd7b16f88f0fecc659bd1a9ddd1cb79002a8b1ab9daf4da549dd2e516806cc4603dd20cbdde175bd5961049

one

Run Three:

select user.salt, user.password from user where user.userid=:id1<pre class='xdebug-var-dump' dir='ltr'>
<b>array</b>
  'salt' <font color='#888a85'>=&gt;</font> <small>string</small> <font color='#cc0000'>'5df34898a394a3476ed96bc16b5b015a776c25912ba5b94427ff09e2331267ad100f7218e636eb50635a459ca5cfa00cee846db889a920c87cb25bddb47888bf'</font> <i>(length=128)</i>
  0 <font color='#888a85'>=&gt;</font> <small>string</small> <font color='#cc0000'>'5df34898a394a3476ed96bc16b5b015a776c25912ba5b94427ff09e2331267ad100f7218e636eb50635a459ca5cfa00cee846db889a920c87cb25bddb47888bf'</font> <i>(length=128)</i>
  'password' <font color='#888a85'>=&gt;</font> <small>string</small> <font color='#cc0000'>'3f9e5a9a6d387d411439d51744b3bb402c67cba64a36f47d82fe92d583ead1e26752aeeaf42bca12d8ef18a5423d2cab79c985f4fbfce1a6e53532453787419e'</font> <i>(length=128)</i>
  1 <font color='#888a85'>=&gt;</font> <small>string</small> <font color='#cc0000'>'3f9e5a9a6d387d411439d51744b3bb402c67cba64a36f47d82fe92d583ead1e26752aeeaf42bca12d8ef18a5423d2cab79c985f4fbfce1a6e53532453787419e'</font> <i>(length=128)</i>
</pre>pre one: 5df34898a394a3476ed96bc16b5b015a776c25912ba5b94427ff09e2331267ad100f7218e636eb50635a459ca5cfa00cee846db889a920c87cb25bddb47888bf

one
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    EDIT
    Okay, another answer titled “How to ask sane questions”.

    If you encountered a strange behavior and going to ask a question about it, a detailed investigation report is a must.

    There is no point in telling us “I did this, I did that”. You are going to ask US – thus, supply US with the same data you have.

    Post your table structure
    Post the table dump
    Post three logs from three attempts with full debugging info:
    The query
    The results that are “random”.

    Do copy/paste results at whole
    Var_dump output contains variable length – there is none in your current results.

    the word “returned” hinting me that there is something about generateValueFromPasswordAndSalt, an oddly called function….

    • 0