Home/ Questions/Q 8821815
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T05:56:48+00:00

I have registered a new user and saved the username, password & salt in

  • 0

I have registered a new user and saved the username, password & salt in the DB using the following hashing method:

    if(isset($_POST['register']))
    {
    $password = $_POST['password']

    function sanitize($data)
    {
        $data=trim($data);
        $data=htmlspecialchars($data);
        $data=mysql_real_escape_string($data);
        return $data;
    }

    $password = sanitize($password);

    function createSalt()
    {
        $salt = bin2hex(mcrypt_create_iv(32,MYCRYPT_DEV_URANDOM));
        $hash = hash("sha256", $salt);
        $final = $salt.$hash;
        return $final;
    }

    $hashedPassword = hash("sha256", $password);
    $salt = createSalt();
    $hashedPassword = hash("sha256", $hashedPassword.$salt);

    $query = sprintf("INSERT INTO users(username, password, salt) VALUES('%s','%s','%s')",$username, $hashedPassword, $salt);
}

And Later while trying the login.php, I am entering the same password which I saved during registration and using the below code to check if the entered password is the same as the one in the DB

if(isset($_POST['login']]))
{
            $password = $_POST['password']

    function sanitize($data)
    {
        $data=trim($data);
        $data=htmlspecialchars($data);
        $data=mysql_real_escape_string($data);
        return $data;
    }

    function validateUser()
    {
        session_regenerate_id (); //this is a security measure
        $_SESSION['valid'] = 1;
        $_SESSION['username'] = $username;
    }

    $password = sanitize($password);

    $query = sprintf("SELECT * FROM users WHERE username = '%s'",$username);
    $sql = mysql_query($query);
    $count = mysql_num_rows($sql);

    $row = mysql_fetch_array($sql);

    if($count<1)
    {
        echo $count;
        unset($_POST['login']);
        header("location:login.php");
        exit;
    }

    $hash = hash("sha256", $password);
    $salt = $row['salt'];
    $hash = hash("sha256",$hash.$salt);

    echo $hash."<br />".$row['password']."<br /><br />";

    if($hash != $row['password'])
    {
        unset($_POST['login']);
        header("location:login.php");
        exit;   
    }
    else
    {
        validateUser();
        unset($_POST['login']);
        header("location:index.php");
        exit;   
    }
}

These passwords are not getting matched.
Kindly let me know what’s wrong in this code.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There is nothing wrong with your code.

    the salt value stored in the database is truncated because the varchar value is low increase the varchar value of your salt column to 200-300 something and than try this.. it will run fine.

    I facepalmed when I found out this was screwing the result..

    Dins

    • 0