ApperleyA ApperleyA - 7 days ago 7
PHP Question

PHP Login with salt+encryption

The problem is that I am simply trying to login with this script and the only times I can make it work is if I take out the lines retrieving the salt from the database based off of the username provided and put in the hashed password manually. The weird part about this whole problem is this is the exact way I do it on another site I made and it works flawlessly. What happens is that it blanks the page and doesnt even show an error. If anyone has a solution I would be very happy to hear them or suggestions about a better way to do this.

<?php
include 'includes/calendar-functions.php';
//user login
if(isset($_POST['membership_id']) && isset($_POST['user_password']) && $_POST['membership_id'] != "" && $_POST['user_password'] != "" ) {
//Setting up VARS
$newUsername = mysql_real_escape_string($_POST['membership_id']);
$newPassword = mysql_real_escape_string($_POST['user_password']);
$saltQuery = 'SELECT `salt` FROM `vintage_user` WHERE membership_id = '.$newUsername;
$resultSalt = mysql_query($saltQuery, $connect) or die( mysql_error() );

while ($row = mysql_fetch_assoc($resultSalt)) {
$salt = $row["salt"];
}

$saltedPW = $newPassword . $salt;
$hashedPW = hash('sha256', $saltedPW);

// QUERYING DB FOR USERNAME AND PASSWORD
$query = 'SELECT *
FROM vintage_user
WHERE membership_id = "'.$newUsername.'"
AND user_password = "'.$hashedPW.'"
AND approved = "1"
LIMIT 1';
$result = mysql_query( $query, $mysql ) or die( mysql_error() );

if( mysql_num_rows( $result ) == 1 ) {
list( $_SESSION['user_first'],
$_SESSION['user_last'],
$_SESSION['user_id'],
$_SESSION['user_email'],
$_SESSION['membership_id'] ) = mysql_fetch_row( $result );
header( 'location:'.'calendar.php?m='.$month.'d=1&y='.$year );
die();
}
else {
echo '<p class="incorrect">Incorrect login and/or password</p>';
}
}

Answer

If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.