How to Authenticate Users with Salted Passwords from a Database
In database-driven web applications, it's essential to protect user passwords against unauthorized access. Salting passwords is a crucial security measure that enhances the protection of user credentials. In this Q&A, we'll explore how to retrieve and authenticate a salted password from a database for secure user authentication.
The Problem:
A developer implemented a member site with salted passwords stored in a MySQL database. However, the login page is allowing any entry into the membership site due to an issue in verifying member existence.
Code for Checking Member Existence:
$servername = 'localhost'; $username = 'root'; $pwd = ''; $dbname = 'lp001'; $connect = new mysqli($servername, $username, $pwd, $dbname); if ($connect->connect_error) { die('connection failed, reason: ' . $connect->connect_error); } $name = mysqli_real_escape_string($connect, $_POST['name']); $password = mysqli_real_escape_string($connect, $_POST['password']); $saltQuery = "SELECT salt FROM users WHERE name = '$name';"; $result = mysqli_query($connect, $saltQuery); if ($result === false) { die(mysqli_error()); } $row = mysqli_fetch_assoc($result); $salt = $row['salt']; $saltedPW = $password . $salt; $hashedPW = hash('sha256', $saltedPW); $sqlQuery = "SELECT * FROM users WHERE name = '$name' AND password = '$hashedPW'"; if (mysqli_query($connect, $sqlQuery)) { echo '<h1>Welcome to the member site ' . $name . '</h1>'; } else { echo 'error adding the query: ' . $sql_q . '<br> Reason: ' . mysqli_error($connect); }
The Solution:
The error in the code lies in the member existence check. To correctly verify the user's password against the stored salted password hash, the following steps are necessary:
Retrieve the Salted Password Hash from the Database:
Use a SQL query to fetch the salted password hash from the database for the provided username.
Calculate the Hashed Password:
Concatenate the user's entered password with the retrieved salt and hash it using the same hashing function as used for storing the password in the database.
Compare the Hashed Password with Stored Hash:
Compare the calculated hashed password with the stored salted password hash. If they match, the user's password is correct.
Below is an updated version of the member existence check code that incorporates these steps:
$verifyQuery = "SELECT id, password FROM users WHERE name = '$name';"; $verifyResult = mysqli_query($connect, $verifyQuery); if ($verifyResult === false) { die(mysqli_error()); } $verifyRow = mysqli_fetch_assoc($verifyResult); if ($verifyRow) { $storedHash = $verifyRow['password']; $saltedPW = $password . $verifyRow['salt']; $hashedPW = hash('sha256', $saltedPW); if ($hashedPW === $storedHash) { // User authenticated successfully } else { // Incorrect password } } else { // User not found }
Conclusion:
By following these steps, developers can securely verify user passwords against salted password hashes stored in a database. This ensures the integrity and protection of user credentials, safeguarding against unauthorized access.
The above is the detailed content of Why is my salted password authentication not working in my MySQL database?. For more information, please follow other related articles on the PHP Chinese website!