Home > Backend Development > PHP Tutorial > Why is my salted password authentication not working in my MySQL database?

Why is my salted password authentication not working in my MySQL database?

Susan Sarandon
Release: 2024-11-13 10:03:02
Original
796 people have browsed it

Why is my salted password authentication not working in my MySQL database?

How to Authenticate Users with Salted Passwords from a Database

In database-driven web applications, it's essential to protect user passwords against unauthorized access. Salting passwords is a crucial security measure that enhances the protection of user credentials. In this Q&A, we'll explore how to retrieve and authenticate a salted password from a database for secure user authentication.

The Problem:

A developer implemented a member site with salted passwords stored in a MySQL database. However, the login page is allowing any entry into the membership site due to an issue in verifying member existence.

Code for Checking Member Existence:

$servername = 'localhost';
$username = 'root';
$pwd = '';
$dbname = 'lp001';

$connect = new mysqli($servername, $username, $pwd, $dbname);

if ($connect->connect_error) {
    die('connection failed, reason: ' . $connect->connect_error);
}

$name = mysqli_real_escape_string($connect, $_POST['name']);
$password = mysqli_real_escape_string($connect, $_POST['password']);
$saltQuery = "SELECT salt FROM users WHERE name = '$name';";
$result = mysqli_query($connect, $saltQuery);
if ($result === false) {
    die(mysqli_error());
}
$row = mysqli_fetch_assoc($result);
$salt = $row['salt'];

$saltedPW = $password . $salt;
$hashedPW = hash('sha256', $saltedPW);
$sqlQuery = "SELECT * FROM users WHERE name = '$name' AND password = '$hashedPW'";

if (mysqli_query($connect, $sqlQuery)) {
    echo '<h1>Welcome to the member site ' . $name . '</h1>';
} else {
    echo 'error adding the query: ' . $sql_q . '<br> Reason: ' . mysqli_error($connect);
}
Copy after login

The Solution:

The error in the code lies in the member existence check. To correctly verify the user's password against the stored salted password hash, the following steps are necessary:

  1. Retrieve the Salted Password Hash from the Database:

    Use a SQL query to fetch the salted password hash from the database for the provided username.

  2. Calculate the Hashed Password:

    Concatenate the user's entered password with the retrieved salt and hash it using the same hashing function as used for storing the password in the database.

  3. Compare the Hashed Password with Stored Hash:

    Compare the calculated hashed password with the stored salted password hash. If they match, the user's password is correct.

Below is an updated version of the member existence check code that incorporates these steps:

$verifyQuery = "SELECT id, password FROM users WHERE name = '$name';";
$verifyResult = mysqli_query($connect, $verifyQuery);
if ($verifyResult === false) {
    die(mysqli_error());
}
$verifyRow = mysqli_fetch_assoc($verifyResult);
if ($verifyRow) {
    $storedHash = $verifyRow['password'];
    $saltedPW = $password . $verifyRow['salt'];
    $hashedPW = hash('sha256', $saltedPW);

    if ($hashedPW === $storedHash) {
        // User authenticated successfully
    } else {
        // Incorrect password
    }
} else {
    // User not found
}
Copy after login

Conclusion:

By following these steps, developers can securely verify user passwords against salted password hashes stored in a database. This ensures the integrity and protection of user credentials, safeguarding against unauthorized access.

The above is the detailed content of Why is my salted password authentication not working in my MySQL database?. For more information, please follow other related articles on the PHP Chinese website!

source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template