Home/ Questions/Q 928643
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T20:02:37+00:00

I have been developing a login library for a website using CodeIgniter. The authentication

  • 0

I have been developing a login library for a website using CodeIgniter. The authentication code is as follows:

function signin($username, $password)
{
    $CI =& get_instance();
    $query_auth=$this->db->query('SELECT user_id, banned FROM user WHERE username=? AND password=SHA1(CONCAT(?,salt)) LIMIT 1', array($username, $password));

    if($query_auth->num_rows()!=1)
        return 2;
    else
    {
        if($query_init->row()->banned==1)
            return 3;
        else
        {
            $CI->load->library('session');
            $this->session->set_userdata('gauid', $query_auth->row()->user_id);
            return 1;
        }
    }
}

The return values signifying success, failure or banned. Each user has a unique salt stored in the database.

Originally i grabbed the salt from the database, combined the users inputted password and salt from the database in PHP, then queried the database again with the combined value. I thought that this would speed things up as only one trip to the database is required and there is less code. I also thought that it would be equally secure, however after reading the top reponse to this question
Salting my hashes with PHP and MySQL

First of all, your DBMS (MySQL) does
not need to have any support for
cryptographic hashes. You can do all
of that on the PHP side, and that’s
also what you should do.

…I started to wonder if there was a security problem i had neglected to spot.

Is there actually anything wrong this code?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Not anything wrong per se. Keep in mind any traffic carrying the unencrypted/unhashed password is suspect. So, for instance, when the server is a remote one, and not working with encryption in communicating with that server, it is yet another moment to try to intercept a password. Also, if queries are logged somewhere (either by default, or because they’re slow), you have a plain password + the salt you’re using sitting in those serverlogs, after all the trouble you went through NOT to store a plaintext password somewhere. If you did it privately in your own code, that wouldn’t happen.

    It all depends on how paranoid you like to be. There are far easier to abuse and often forgotten evils, like session-fixation.

    • 0