mhash, checking passwords

noiseusse

Hi. I've got a good login page running but I decided I needed to encrypt the passwords. When adding a new user mhash works fine

here's what I do:

$the_hash = MHASH_TIGER;
$thehashentry = mhash($the_hash , $pass1);
$theentry = "\r".$userid.":".bin2hex($thehashentry)."--";
$thefile = fopen("logins.txt" , 'a');
fwrite($thefile , $theentry);
fclose($thefile);

my problem is that when I try and check the user entered password against the file it won't match. Here's what I'm doing for that:

$userid = $POST["login"];
$passwd = $POST["passw"];
$thehash = MHASH_TIGER;
$hashedpass = mhash($thehash , $passwd);

$line = explode("--" , $buffer);
$i = 0;
$thecheck =0;

while($i < sizeof($line))
{
	$datapair = explode(":" , trim($line[$i]));
	if(($datapair[0] == $userid and $datapair[1] == bin2hex($hashedpass)))
	{
		$thecheck = 1;
		break;

	}

It's probably something little and simple but it's beyond me. Any insight is appreciated.

saronoff

To see what's wrong I would print the userid, the bin2hex password and what you're trying to match against. That'll tell you if its a trim issue, a bad data issue, etc. That should be the easiest way to see what's happening. The other thing I would do is pull the bin2hex call out of the "if" and see if that makes any difference. You're going to have to do that to print the value out.

Instead of mhash you may want to try md5 encoding. Once encoded you can not "unencode" but you can surely test one md5 hash against another. Its probably a safer way to go because no one, even if they get a hold of your password file could find the passwords for any of the users.

noiseusse

nevermind, I got it. I wass writing $POST["login"]; instead of $_POST["login"]

That took way too much effort to find
thanks