[oSAINTo]

Код:

WP_Hash(PlayerInfo[playerid][pPassword], 129, combination);

^ That's the hash I'm using in my script.
I'm trying to figure out how to unhash it for a UCP.

Код:

<?php

include("config.php"); //including our config.php where is connecting to mysql...
session_start(); //starting session for profile.php (Dunno how to explain better) look little down
error_reporting(0); //without this we will always get some stupid notice that variable isn't defined....

$submit = $_POST['submit']; //variable for submit button, in this variable we save button that player press in <input type='submit' name="submit" value='Login' />....
$username = sanitize($_POST['username']); //variable for username, in this variable we save text that user type in <input type="text" name="username"....
$password = sanitize($_POST['password']); //variable for password, in this variable we save text that user type in <input type="password" name="password"....
$hashedPassword = strtoupper(hash('whirlpool',$password));

if($submit) //if he press submit button
{
    if($username && $password) //if he type both of username and password not just one of them
    {
        $query = mysql_query("SELECT `user`, `password` FROM `samp_users` WHERE `user` = '$username'"); //selecting user name and password, change it to your field names,  chage users to your table name, $username means username that he type...
        if(mysql_num_rows($query) == 1) //if user exists
        {
            while($row = mysql_fetch_assoc($query)) //loop thought table that we select in mysql_query
            {
                $dbusername = $row['user']; //setting dbusername as variable from table, change 'username' to your field!
                $dbpassword = $row['password']; //setting dbpassword as variable from table, change 'password' to your field!
            }
            if($username == $dbusername && hashedPassword == $dbpassword) //if username is same as one from table and if password is the same as one from table...
            {
                $_SESSION['username'] = $dbusername; //setting session username to one from table, this is useful if you login, that restart your browser and than you go in url where is your profile.php... Anyway this is useful :D
                echo header('location: profile.php'); //redirecting user to his profile page (profile.php)
            }
            else echo "Wrong password!"; //else if user type wrong password he will get this...
        }
        else echo "Username doesn't exist!"; //if username doesn't exist in table user will get this
    }
    else echo "Type name and password!"; //else if user doesn't type all fields he will get this...
}

?>

I'm a complete and utter noob with PHP, would love any assistance here.

[iLearner]

Hashes are not designed to be unhashed, ****** "Whirlpool hash with php" on ****** instead.

What you need to do is, hash the password user enters on your ucp page, and compare it with the saved one in database.

[JessThompson]

As explain above you can't unhash passwords to find out if the user enters the correct password you must hash the entered text and then compare them strings to see if they match.

If the user is currently not logging in it must be an issue with your hashing or the way the strings are compared.

Could you please explain the full issue you are having with this. Also could you please show me the "hash" function that is begin called...

[oSAINTo]

Quote:

Originally Posted by JessThompson As explain above you can't unhash passwords to find out if the user enters the correct password you must hash the entered text and then compare them strings to see if they match. If the user is currently not logging in it must be an issue with your hashing or the way the strings are compared. Could you please explain the full issue you are having with this. Also could you please show me the "hash" function that is begin called...

Код:

$hashedPassword = strtoupper(hash('whirlpool',$password));

I added this to the script and made it call for the $hashedPassword variable in the login.php submit box. Yet, it gets wrong password, and when I copy the password that's hashed straight from the database, it's still wrong.
When I remove $hashedPassword from the login.php script, and I set it back to it's default $password, the hashed password from the database works.

[oSAINTo]

bump.

[AndreiWow]

shouldn't you also add a filter to that sanitize?

And as I know you should sanitize when you display the input to a user, it can't affect you if you only compare it to another variable.

So if you save in database you need to escape for sql injection and if you want to show something to a user sanitize, I may be wrong but thats how I know it

not sure how it works with whirlpool but check this: http://www.richardlord.net/blog/php/...-security.html

try to print the hash and compare with the one that you have in database