double hashing and change password

[kool77]

Hi

I'm having a problem with double hashing and changing the password..
my story is the user use 123456 for example to login and this password is not in double hashing form yet!
so the user go to change password section and enters his current password twice 123456 and his new password 111222333 then OK and the password became 9898eugeghdgd87d67d6 bluh bluh in the database because it is in double hashing form no body can see what it is then the user use his new password next time to login 111222333 and login successful ..

the problem is here he wants to change the password again he goes to change password and the same story again but this time he got the message "invalid previous password" because it is in hashing form and I don't know how to make it understand that the password is the same one he used to login and it's not invalid!!

NOTE: I really need to use the double hashing, I know it works without it but I want it.

see this code where I used sha1 for double hashing in change password screen, I might need it somewhere else but I don't know where

Code: Select all

$pass = sha1($_POST['psd1']);
     
     $update = "UPDATE INSTRUCTOR SET IPASSWORD = '$pass' WHERE INSID = '$userid'";
     $result= mysql_query($update);

and here in check login screen:

Code: Select all

$user = trim($_POST['User_Name']);
$pass = trim($_POST['User_Pass']);
$SQL = mysql_query(" select * from INSTRUCTOR where INSID='".$user."' and ipassword=sha1('".$pass."') ") or die (mysql_error());

here are the full codes, if you need them

Code: Select all

<?
session_start();
$userid=$_SESSION['ses_name'];
if(isset($userid)) {
 
ECHO "Welcome ".$_SESSION['ses_name']."  to change password section ";
} else {
ECHO "Sorry! you need to login to view this page. ";

include("login_form.php");

}
?>

<html>
<head>
<title>:: Change Password Screen ::</title>
</head>
<body background="logo_02.gif">
      <?
    include('DB_connectionscript.php');
    if(isset($_POST['submit']))
    {
     if($form_errors = check())
     {
      show_form($form_errors);
     }
     
     else
     
      
      
     {
      process();
     }
    }
    else
    {
     show_form();
    }
    function show_form($errors='')
    {
     print "<br/>";
     print "<br/>";
     print "<br/>";
     print "<form method='POST' action='".$_SERVER['PHP_SELF']."'>";
     print "<h3 align = 'center'>Please fill your data in the following fields:</h3><table align = 'center' border='0' dir='ltr'>";
     print "<tr>";
     print "<td colspan='2'>";
     if ($errors) {
      print "<font color='#FF0000'>";
      print "<ul><li>";
      print implode("</li><li>",$errors);
      print "</li></ul>";
     }
     print "</tr>";
     print "<tr>";
     print "<td><font size='2'> Enter your password </font> </td><td><input type='password' name='psd'></td>";
     print "</tr>";
     print "<tr>";
     print "<td><font size='2'>  Enter your new password </font></td><td><input type='password' name='psd1'></td>";
     print "</tr>";
     print "<tr>";
     print "<td><font size='2'>  Re-enter your new password </font></td><td><input type='password' name='psd2'></td>";
     print "</tr>";
     print "<tr>";
     print "<td colspan='2'>";
     print " <p align='center'>";
     print "<input type='submit' value='Submit' name='submit' dir='ltr'>";
     print "</tr>";
     print "</table>";
     print "</form>";
     print "<br/>";
     print "<br/>";
     print "<br/>";
    }
    function check()
    {
     global $userid;
                    $errors = array();
     if (!$_POST['psd'] || !$_POST['psd1'] || !$_POST['psd2'])
     {
      $errors[] ='You did not fill in a required field';
      return $errors;
     }
     $sql = ("SELECT IPASSWORD FROM INSTRUCTOR where INSID = '$userid'");
     $result = mysql_query($sql);
     $checker = mysql_fetch_row($result);
     if($checker[0] != $_POST['psd'])
     {
      $errors[] = "Invalid previous password";
      return $errors;
     }
     if (strlen($_POST['psd1']) >= 6)
     {
      if ($_POST['psd1'] != $_POST['psd2']) 
      {
       $errors[] ='New Passwords did not match.';
       return $errors;
      }
     }
     else
     {
      $errors[] ='Your new password length must be 6 or more.';
      return $errors;
     }
    }
    
    
    function process()
    {
     global $userid;
     $pass = sha1($_POST['psd1']);
     
     $update = "UPDATE INSTRUCTOR SET IPASSWORD = '$pass' WHERE INSID = '$userid'";
     $result= mysql_query($update);
     
     
     if(!$result)
     {
      print "Update ERROR:". mysql_error();
      exit();
     }
     else
     {
      echo '<META HTTP-EQUIV="Refresh" CONTENT="3;URL=admin_page.php">';
     }
    }
   
    
   ?>
</body>
</html>

checklogin.php

Code: Select all

<?
session_start();
 
include("DB_connectionscript.php");
$user = trim($_POST['User_Name']);
$pass = trim($_POST['User_Pass']);
$SQL = mysql_query(" select * from INSTRUCTOR where INSID='".$user."' and ipassword=sha1('".$pass."') ") or die (mysql_error());

if( mysql_num_rows($SQL) != "0" ){
$info = mysql_fetch_array($SQL);
 
$_SESSION['ses_name'] = "$info[INSID]";

ECHO "Login was successeful!";
echo "<br>";
echo "<a href='admin_page.php'>Control Panel Page</a>";
 
} else {
ECHO "Sorry! Check your login information ";
}
?>

Please help me I'm so tired of this .. I know I might need to use sha1 somewhere else too but I don't know where I'm facing this problem since last week and I couldn't solve it

Thanks

[Blake121]

You could use ENCODE and DECODE in your MySQL statement. It isn't sha1 but it is easier to use and can be more secure. It would go something like this...

Code: Select all

$key = 'A-r@Nd0m-Str1ng-0f-t3xt';

$update = "UPDATE INSTRUCTOR SET IPASSWORD = ENCODE('$pass', '$key') 
           WHERE INSID = '$userid'";

turning it back into a string from the database would be something like this...

Code: Select all

$key = 'A-r@Nd0m-Str1ng-0f-t3xt';

$select = "SELECT DECODE(IPASSWORD, '$key') AS IPASSWORD 
           FROM INSTRUCTOR";

This works really well. Be warned though that if you lose the key the data becomes inaccessible again.

[kool77]

that's good..
but, I didn't understand how to generate the key?

$key = 'A-r@Nd0m-Str1ng-0f-t3xt';

should I write it like this ?

Thanks.. I like your way of encoding and decoding

[Blake121]

Thanks. Glad I can help.

A-r@Nd0m-Str1ng-0f-t3xt literally is a random string of text. Just write anything you want in there. A random jumble of letters or numbers. Anything you want really, just make it hard to guess.

Keep in mind that you wouldn't use DECODE for user authentication. Just if you wanted to send a forgot password e-mail. To login you would do something like:

Code: Select all

$select = mysql_query("SELECT * FROM users WHERE password = ENCODE('$pass', '$key') AND username = $username");

$numRows = mysql_num_rows($select);

if($numRows > 0) {
      LOGGED IN PART
}

[kool77]

I got the idea now thank you Blake