tags:

views:

67

answers:

1
Q: 

password salting - never matches!

I'm having difficulty figuring out why user password hashing is not working.

The way I do this is the normal method, where upon registration I create a randam salt and combine with password and store, but when I try to match the passwords for the login, they're failing :(

<?php
class Model_users extends ModelType_DatabasePDO
{

 //...

 public function CheckCredentials($username,$password)
 {
  $statement = $this->prepare('SELECT user_id,user_salt,user_password FROM users WHERE user_username = :u');
  $statement->bindValue(':u',$username);

  if($statement->execute())
  {
   $user_data = $statement->fetch(PDO::FETCH_OBJ);

   //Create a new hash with salt
   $combined = $this->CombineHash($password,$user_data->user_salt);

   //Check the combination is correct!
   if($combined == $user_data->user_password)
   {
    return true;
   }

   var_dump($user_data->user_salt,$combined);
   return false;
  }
  return false;
 }

 //...

 public function AddUser($userdata)
 {
  if($userdata['username'] && $userdata['password'] && $userdata['email'] && $userdata['nickname'])
  {
   $statement = $this->prepare('INSERT INTO users (user_username,user_password,user_salt,user_email,user_nickname) VALUES (:username,:password,:salt,:email,:nickname)');

   //Generate hashes
   $salt = $this->GenerateSalt();
   $password = $this->CombineHash($userdate['password'],$salt);

   //Generate Data block for insert
   $data = array(
    ':username' => $userdata['username'],
    ':password' => $password,
    ':salt'  => $salt,
    ':email' => $userdata['email'],
    ':nickname' => $userdata['nickname']
   );

   if($statement->execute($data))
   {
    return true;
   }
  }
  return false;
 }

 private function GenerateSalt()
 {
  //Create a random md5 string:
  $first = md5( rand(0,100) . time() . microtime() . uniqid() );
  $second = md5( rand(0,100) . time() . microtime() . uniqid() );

  for($i=0;$i<=32;$i++)
  {
   $string = '';
   if($i % 2)
   {
    $string .= $first[$i];
   }else
   {
    $string .= $second[$i];
   }
  }
  return md5($string);
 }

 private function CombineHash($password,$hash)
 {
  return md5($password . $hash);
 }
}
?>

All variables passed into the methods are raw and not salted or encrypted but merely validated :/

Regards

+8  A: 

Your code appears to have a typo

 $password = $this->CombineHash($userdate['password'],$salt);

$userdate needs to be $userdata (the e needs to be an a).

atk  2010-08-24 19:03:23
It's always the little things... Good catch.
bradenkeith  2010-08-24 19:04:46
that's why i like compiled languages
Andrey  2010-08-24 19:08:43
yea e and a, there so much alike, its working now, after a 9-5 computer job to get back to personal projects its hard to concentrate ha, thanks again.
RobertPitt  2010-08-24 19:09:35
@RobertPitt `error_reporting(-1);` will usually catch things like that. An IDE may help also.
banzaimonkey  2010-08-24 19:11:45
Yeah. It's one of those things I'd never have been able to find in my own code :) We're all blind to (some of) our own mistakes :)
atk  2010-08-24 19:13:16
@RobertPitt: If this answer helped you, why not mark it as Accepted? :)
Onion-Knight  2010-08-24 19:13:56
yea i should really use E_ALL, but with the project im creating i dont get your regular error string, its a output control with error templates :)
RobertPitt  2010-08-24 19:14:48
Onion, you cant accept an aswer that fast mate, waiting for the timer!
RobertPitt  2010-08-24 19:15:17

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases