Home/ Questions/Q 6551689
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T12:22:07+00:00

This is my hash code for checking passwords, hashing.php <?php //compare password with hashed

  • 0

This is my hash code for checking passwords, hashing.php

<?php
        //compare password with hashed one
        public static function check_password($hash,$password) {
            $full_salt=substr($hash,0,29);

            $new_hash=crypt($password,$full_salt);

            return ($hash==$new_hash);
        }
?>

This is login.php

<?php
   require("scripts/hashing.php");              
   $password=$_POST['txtPassword'];

   //checking in database if password exists or not
   $checkPassword=mysql_query("SELECT * from $tbl_name WHERE Password='".$password."'"); 

   $resultPassword=mysql_fetch_array($checkPassword);

   if(!hashing::check_password($resultPassword['Password'],$password)) {
    //back to login
   }
?>

The problem is that, even when users input wrong password, it is allowing the users to login.

EDIT

<?php
    class hashing {

        //blowfish
        private static $algo='$2a';

        //cost parameter
        private static $cost='$10';

        public static function unique_salt() {          
            return substr(sha1(mt_rand()),0,22);
        }

        //generate a hash
        function myhash($password) {                            
            return crypt($password,self::$algo.self::$cost.'$'.self::unique_salt());
        }

        //compare password with hashed one
        public static function check_password($hash,$password) {
            $full_salt=substr($hash,0,29);

            $new_hash=crypt($password,$full_salt);

            return ($hash==$new_hash);
        }               
    }
?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Okay, I used md5 to solve it.

    In registration:

    $pass_hash=md5(mysql_real_escape_string($_POST['txtPassword']));
$insertQuery="INSERT INTO $tbl_name(Password) VALUES ('".$pass_hash."')";
$insert=mysql_query($insertQuery) or die ("Failed to register");

    In login:

    $pass_hash=md5(mysql_real_escape_string($_POST['txtPassword']));
$checkLogin=mysql_query("SELECT * from $tbl_name WHERE Username='".$username."'AND Password='".$pass_hash."'"); 
if(mysql_num_rows($checkLogin)==1) {
   $row=mysql_fetch_array($checkLogin);
   echo "Login success!";
}
else {
   echo "Login failed!";
}
    • 0