I've got one function to create a new user by generating a salt, appending it to password, and hashing the combination. I've got another function for user login verification, which takes the user's entered password and adds it to the user's unique salt, hashes, and compares to the encrypted password in the database (see comments throughout code).
I've echoed out all the important variables in the userValidate() function, but I can never get the hash+user password to match the encrypted password from the database. Can anyone tell me what I'm doing wrong?
Create user function:
function createNewUser($firstName, $lastName, $email, $password, $address, $city, $state) {
$conn = connectPDO();
// Create a salt
$salt = mcrypt_create_iv(64, MCRYPT_DEV_URANDOM);
// Add salt to password
$salted_password = $salt.$password;
// Hash salt/password combination, to be added to "password" column of database
$encrypted_password = hash('sha256', $salted_password);
$datetime = date("Y-m-d H:i:s");
$stmt = $conn->prepare("INSERT INTO users (`first-name`, `last-name`, `email-address`,
`password`, `salt`, `address`,
`city`, `state`,
`registered-timedate`) VALUES (
:field1, :field2, :field3, :field4, :field5, :field6, :field7, :field8, '$datetime')");
return ($stmt->execute(array('field1' => $firstName,
'field2' => $lastName,
'field3' => $email,
'field4' => $encrypted_password,
'field5' => $salt,
'field6' => $address,
'field7' => $city,
'field8' => $state)));
}
Validate user's login:
function userValidate($email, $user_password) {
$conn = connectPDO();
$sql = "SELECT `salt`,`password` FROM users where `email-address`='$email'";
$q = $conn->query($sql);
$row = $q->fetch();
// Get the user's unique password salt
$salt = $row['salt'];
// Find the hashed salt/password combination
$database_password = $row['password'];
// Add salt to user's entered password and encrypt
$salted_password = $salt.$user_password;
$encrypted_password = hash('sha256', $salted_password);
// Compare the user password/salt hash to one stored in database
if($encrypted_password == $database_password) {
return true;
} else {
return false;
}
}
Edit:
I've echo'd my vars on the registration page and I'm getting salts w/ many special characters like "J~Ã×/q,ó¸5 áczçvÁ!—Î/åÿâÑ^:h1Z¬MÃF¤º`„ù‹w¡ìe(Wúô wW" which is not going in the database verbatim--goes in like "4a7ec3d72f00712cf31eb8350f20e1637ae776c1902197ce2f1ae57fff0be2d1135e3a681e315aac4dc346a4ba608402f98b77a1ec126590281157faf40977570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000". What data type should I use in my databsae for salts... and shouldn't salting/hashing/comparing generate the same two encrypted passwords for each (because the salts would still be the same?)
