Menu
I have a form for updating user data. It posts to this page:
<?php
//Update user table
session_start();
include 'sql_connect_R.inc.php';
$id = mysql_real_escape_string($_POST['userID']);
$password = mysql_real_escape_string($_POST['user_passwrd']);
$salt = time();
$hash = sha1($password . $salt);
mysql_query("UPDATE users SET user_passwrd = '$hash', stamp = '$salt', pending = 'yes'
WHERE userID = '$id'");
mysql_close($con);
?>
(I have edited out the things not pertinent to this question)
I believe what is happening is when the 'stamp' field is being populated with the $salt it is getting a different value than when the $hash is being calculated. Therefore, when a user signs in and is checked here:
$qry="SELECT * FROM users WHERE userlogin = '$login' AND user_passwrd = sha1(CONCAT('$password', stamp))";
$result=mysql_query($qry);
$row = mysql_fetch_assoc($result);
$num = mysql_num_rows($result);
When I echo $num it returns a value of 0. I'm wondering if there is a way to ensure that the value of $salt remains the same when it is being used in $hash and then when it is updating the field 'stamp'. Can anyone help me with this or point me in the right direction? Thanks in advance. Cheers
850
More ideas so I've changed my comment into an answer...
It's worth noting that you're using PHP's SHA1 function when storing but mysql's when retrieving. They should be the same but that's the first place I'd look to debug this. try using mysql's sha function to store the hash or retrieve the record based on login, read the salt and hash it in PHP to compare
How are you storing the timestamp? Is it possible that it's being transformed/rounded/clipped/treated as a date string in some way? Just for a sanity check, take the string you're feeding into the sha1 function in both steps and check they're identical.
Further to your comment, can you post the schema for the relevant fields in the table?
62
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
