Home/ Questions/Q 3809760
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T15:21:20+00:00

This is my 2nd edit on this. I’ve been banging my head against the

  • 0

This is my 2nd edit on this. I’ve been banging my head against the wall for few days now and feel like I am very close. I’ve tried many different versions of this third code chunk and just can’t get it. Any idea of what I’m doing wrong ( Its the third code chunk that is changed )

if(!$error) {
    $alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
    $rand = str_shuffle($alpha);
    $salt = substr($rand,0,40);
    $hashed_password = sha1($salt . $_POST['Password']);
    $query = "INSERT INTO `Users` (
                `FirstName`,
                `LastName`,
                `Email`,
                `Password`,
                `salt`,
                `RelationshipToCF`,
                `State`,
                `Gender`,
                `Birthday`,
                `Status`
        )VALUES(
                '" . mysql_real_escape_string($_POST['firstName']) . "',
                '" . mysql_real_escape_string($_POST['lastName']) . "',
                '" . mysql_real_escape_string($_POST['email']) . "',
                '" . $hashed_password . "',
                '" . $salt . "',
                '" . mysql_real_escape_string($_POST['RelationToCF']) . "',
                '" . mysql_real_escape_string($_POST['State']) . "',
                '" . mysql_real_escape_string($_POST['sex']) . "',
                '" . mysql_real_escape_string($_POST['DateOfBirth_Year'] . "-" . $_POST['DateOfBirth_Month'] . "-" . $_POST['DateOfBirth_Day']) . "',
                'pending'
    )";
    mysql_query($query, $connection);

Here is the method I am using to update existing passwords:

$query = "SELECT * FROM `Users`";
$request = mysql_query($query,$connection);
while($result = mysql_fetch_array($request)) {
    $alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890";
    $rand = str_shuffle($alpha);
    $salt = substr($rand,0,40);
    $hashed_password = sha1($salt . $result['Password']);
    $user = $result['id'];

    $query2 = "UPDATE `Users` SET `salt` = '$salt' WHERE `id` = '$user'";
    $request2 = mysql_query($query2,$connection) or die(mysql_error());
    $query3 = "UPDATE `Users` SET `encrypted_passwords` = '$hashed_password' WHERE `id` = '$user'";
    $request3 = mysql_query($query3,$connection) or die(mysql_error());
}

So now I want to allow the user to sign in with the password they signed up with and at this point they can only sign in with the hashed password. Obviously this has not been applied to the real database quite yet.

Here is the query on the sign in pages that I am going to need to alter:

    if(isset($_POST['subSignIn']) &&
       !empty($_POST['email']) &&
       !empty($_POST['password'])) {

        $email = mysql_real_escape_string($_POST['email']);
        $password = mysql_real_escape_string($_POST['password']);
        $query = "SELECT
             `id`,`email`,`password` FROM `Users`
             WHERE `Email` = '" . $email . "' AND
             `Password` = '" . $password . "'  &&
             `Status` = 'active' LIMIT 1";
        $request = mysql_query($query,$connection) or die(mysql_error());

        if(@mysql_num_rows($request)) {

            $result = mysql_fetch_array($request);
            $_SESSION['LIFE']['AUTH'] = true;       
            $_SESSION['LIFE']['ID'] = $result['id'];

$query = "UPDATE `Users` SET` LastActivity` = '" . date("Y-m-d") ." " . date("g:i:s") . "'   WHERE `id` ='" .mysql_real_escape_string($_SESSION['LIFE']['ID']) . "' LIMIT 1";

            mysql_query($query,$connection);

            if(!empty($_POST['return'])) {          
                header("Location: " . $_POST['return']);        
            }else{
                header("Location: Dashboard.php?id=" . $_SESSION['LIFE']['ID']);
            }
        }else{
            $_SESSION['LIFE']['AUTH'] = false;      
            $_SESSION['LIFE']['ID'] = false;    
        }

I have been scouring the webernet for methods but figured I would take advantage of all the great minds on here and fish for a suggestion/method/tutorial/point in the right direction

<==My attempt after the original 5 answers==>

 i

f(isset($_POST['subSignIn']) && !empty($_POST['email']) && !empty($_POST['password'])) {


    $query = "SELECT id FROM cysticUsers WHERE Email = '$email' AND Password = SHA1(CONCAT(salt,'$password')) AND Status = 'active' LIMIT 1";
    $request = mysql_query($query,$connection) or die(mysql_error());

if(@mysql_num_rows($request)) {

        $row = mysql_fetch_assoc($request);
        if (sha1($row['salt'] . $_POST['password']) === $row['password']) {


        $_SESSION['CLIFE']['AUTH'] = true;
        $_SESSION['CLIFE']['ID'] = $result['id'];

        // UPDATE LAST ACTIVITY FOR USER
        $query = "UPDATE `cysticUsers` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1";
        mysql_query($query,$connection);

        if(!empty($_POST['return'])) {
            header("Location: " . $_POST['return']);

        }else{
            header("Location: CysticLife-Dashboard.php?id=" . $_SESSION['CLIFE']['ID']);
            }
        }

    }else{

        $_SESSION['CLIFE']['AUTH'] = false;
        $_SESSION['CLIFE']['ID'] = false;

    }
}

?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It looks as if you are not actually using the users password when they make an account.

    In the first block of code:

    $hashed_password = sha1($salt . $result['Password']);

    should be something like:

    $hashed_password = sha1($salt . $_POST['Password']);

    I think you are storing the hashed salt only, basically enabling a login with any empty password!

    • 0