i'm creating a simple login system, i has the passwords using sha256 and store a salt using a random number in the database. However when i try to log in, when it goes to compare the hashes it fails. Can anyone see why?
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
$mysql_db_hostname = "localhost";
$mysql_db_user = "root";
$mysql_db_database = "login";
$con = mysql_connect($mysql_db_hostname, $mysql_db_user) or die("Could not connect database");
mysql_select_db($mysql_db_database, $con) or die("Could not select database");
$query = "SELECT password, salt FROM registered_users WHERE username='$username'";
$result = mysql_query($query);
if(mysql_num_rows($result) < 1) //no such user exists
{
echo 'false';
header('Location: index.php');
}
$userData = mysql_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );
if($hash != $userData['password']) //incorrect password
{
echo 'false';
header('Location: index.php');
}
else
{
echo 'true';
$_SESSION['username']=$row['username'];
}
session_write_close();
Heres how i hash my pass
// hash the password using sha256 a string of 64 characters
$hash = hash('sha256', $password);
// create the salt, random string of characters appened to hash
function createSalt()
{
$string = md5(uniqid(rand(), true));
return substr($string, 0, 3);
}
$salt = createSalt();
$hash = hash('sha256', $salt . $hash);
Heres how i insert my data
mysql_query("INSERT INTO registered_users(username, name, email, password,salt)VALUES('$username', '$name', '$email', '$hash', '$salt')");
header("location: index.php?remarks-success");
mysql_close($con);
?>
