Home/ Questions/Q 8978537
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T19:38:17+00:00

I created a registration and a login script which hash the password with salt

  • 0

I created a registration and a login script which hash the password with salt exactly the same way, however when the user attempts to login using their password, the hashed login password and the one stored in the database differ, it was working a couple of days ago and I haven’t changed anything in the login and registration scripts.

Here is what the stored credentials are

DBEMAIL: jd@gmail.com

DBPASSWORD:
addb18f27b6970082727069aa5853116223c5ab46f46a7b07340757804670aef61311ff0254ec45ea78d9ea6d8afb2cefdf3afd6bd4947f6fc558f46703fac1c

Here is what the User inserted credentials are:

UEMAIL: jd@gmail.com

UPASSWORD: 4123363f30664825356a238fe7a568910315e6f6aa8a57d0264844c641e856ab207200f4c75a532b2ebecdbd062bff31da101d973ab0f83eaefd2323a39a4a88

They are hashed using:

$salt   = "salinger";
$hashed = hash_hmac("sha512", $password, $salt);

The full registration function (it’s messy I know but it works (until now): 

function registerUser($firstname, $surname, $email, $password, $secretQ, $secretA,    $address, $city, $postcode) {
    $flag = array();
    $validEmail = validateEmail($email);
    if (($validEmail) == true) {
         //Do not flag
    } else {
        array_push($flag, 1);
    }
    if ((textOnly("First name", $firstname) == true) || ((textOnly("Surname", $surname)) == true) || ((textOnly("City", $city)) == true)) {
        array_push($flag, 1);
    }
    if ((emptyField($firstname)) || (emptyField($surname)) || (emptyField($email)) || (emptyField($password)) || (emptyField($secretA)) || (emptyField($address)) || (emptyField($city)) || (emptyField($postcode))) {
        array_push($flag, 1);
    }
    if (validPostcode($postcode) == false) {
        array_push($flag, 1);
    }
    if (duplicateEmail($email) == true) {
        array_push($flag, 1);
    }
    if (validatePassword($password) == false) {
        array_push($flag, 1);
    } else {
        $password = validatePassword($password);
    }
    switch ($secretQ) {
        case 1:
            $secretQ = "Your mothers maiden name?";
            break;
        case 2:
            $secretQ = "Name of your first pet?";
            break;
        case 3:
            $secretQ = "The name of your high school?";
            break;
        case 4:
            $secretQ = "Your favourite instrument?";
            break;
    }

    $salt   = "salinger";
    $hashed = hash_hmac("sha512", $password, $salt);

    if (!empty($flag)) {
        echo "There are errors with your registration, go back and ammend it. <br /> <a href=\"register.php\">&lt;&lt; Back</a>";
    } else {
        if ((isset($firstname)) && (isset($surname)) && (isset($email)) && (isset($password)) && (isset($secretQ)) && (isset($secretA)) && (isset($address)) && (isset($city)) && (isset($postcode))) {
            $sql = "INSERT INTO customer (forename, surname, email, password, secretQ, secretA, address_street, address_city, address_postcode, member_type) VALUES ('$firstname', '$surname', '$email', '$hashed', '$secretQ', '$secretA', '$address', '$city', '$postcode', 'User');";
            header("Location: index.php");
        } else {
            array_push($flag, 1);
        }
    }
    $result = mysql_query($sql);
    if (!$result) {
        die(mysql_error());
    }
}

The login function: 

function loginUser($email, $password) {
    if (validateEmail($email) == true) {
        $sql    = "SELECT customerid, forename, email, password, secretA, member_type FROM customer WHERE email = '$email'";

        $result = mysql_query($sql);

        while ($record = mysql_fetch_array($result)) {
            $DBid       = $record['customerid'];
            $DBemail    = $record['email'];
            $DBpassword = $record['password'];
            $DBforename = $record['forename'];
            $DBsecretA  = $record['secretA'];
            $DBmember   = $record['member_type'];
        }

        if (!$result) {
            die(mysql_error());
        }

        $salt   = "salinger";
        $hashed = hash_hmac("sha512", $password, $salt);

        echo "DBEMAIL: $DBemail   DBPASSWORD: $DBpassword <br/>";
        echo "UEMAIL: $email  UPASSWORD: $hashed <br/>";

        if (($email == $DBemail) && ($hashed == $DBpassword)) {
            $match = true;
        } else {
            $match = false;
        }

        if ($match == true) {
            session_start();
            $_SESSION['userid']   = $DBid;
            $_SESSION['Active']   = true;
            $_SESSION['forename'] = $DBforename;
            $_SESSION['type']     = $DBmember;
            header("Location: member.php");
        } else {
            echo "Incorrect credentials.";
        }
    } else {
        echo "Invalid email address!";
    }
return true;
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In registerUser, I’d take a closer look at this:

    ...
if (validatePassword($password) == false) {
    array_push($flag, 1);
} else {
    $password = validatePassword($password);
}
...

    $password will be overwritten, it appears, if it is a valid password. If all the passwords are the same in the database, then it’s likely that $password is being set to true, and that’s the value that’s salted. Depending on how you use validatePassword, you may be able to remove the else-clause, leaving this:

    ...
if (validatePassword($password) == false) {
    array_push($flag, 1);
}
...
    • 0