Password hashing doesn't work

Question

I'm inserted some users into the MySQL database

$register_query = " INSERT INTO user ( name, password, permission_id) 
VALUES ( '$username', SHA('$password_01'), '1' ) ";

I wants to read the user table for logging in

require_once('initializing.php');

class DbPlus extends MySQLDatabaseConnection{

public $database;

function __construct()
{
    $this->database = parent::connection();
}

public function reading_table($table, $query, $where = null, $limit = null, $order = null){

    $query = "SELECT {$query} FROM {$table}";
    if ( isset($where) ) {
        $query .= " WHERE {$where}";

    }
    if ( isset($order) ){
        $query .= " ORDER BY {$order}";
    }
    if ( isset($limit) ) {
        $query .= " LIMIT {$limit}";
    }

    // $data = $this->database->query($query);
    $data = $this->database->query($query);

    $rows = array();
    while ( $row = $data->fetch_object() ) {
        $rows[] = $row;

    }

    return $rows;
    }
}

$dbplus = new DbPlus;

$login_qry_slct = "id,name,password,permission_id";
$login_qry_whr = "name ='test' AND password = SHA('test')";
$result = $dbplus->reading_table('user', $login_qry_slct, $login_qry_whr );
var_dump($result);

For testing purpose I inserted name=test, and password=test. I did it in two ways, with and without SHA(). When I inserted the password 'test' without hashing, the select query works fine (note: it is for testing purposes) and returns the non hashed test user.

 $login_qry_whr = "name ='test' AND password = 'test'";

But when I using SHA

$login_qry_whr = "name ='test' AND password = SHA('test')";

Returns array(0) { } (note: there is hashed version saved in in the user table too)

What am I doing wrong with SHA()?

Answer 1

Try this,

sha1(password) instead of sha(password).

Orelse try this one,password_hash() function or crypt function.

http://www.php.net/manual/en/function.password-hash.php

Hope this works for you.

Answer 2

Please please don't use SHA* for hashing passwords, instead use a slow key-derivation function like BCrypt or PBKDF2 with a cost factor. The verification cannot be done in an SQL statement directly (because of the salt), so you have to do it in your PHP code:

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

Answer 3

I never ran into problems like this by hashing the password in PHP by using the native hash() function.

<?php
$query = "SELECT * FROM table WHERE username = 'test' AND password = '" . hash('sha256', $password) . "'";
?>

Documentation: http://us2.php.net/manual/en/function.hash.php