PokeFun Update: Password Lessons

Posted by

Done with star assignments so it’s time to crack down on PokeFun!  As a brief refresher, I’ve built a very basic sight thus far: http://pokefun.flickhuck4lyfe.info.  I got register and login/logout to work about 10 minutes ago.  These provided an unexpected headache.  Namely, I encountered trouble when trying to sha user-entered passwords.  Sha is a really easy way to encrypt passwords in php.  Basically, you pass in a string of characters and it returns an encoded version of that string.  This is useful when someone might be able to see your database and you don’t want passwords to be recognizable.  So it’s important to sha passwords before you put them in the database.  This is where I messed up.  I made the password column in my database 30 characters long, thinking that would be more than sufficient.  The problem was that the sha function returned a result that was 40 characters long (even though the input was only six characters).  Instead of returning an error, the database accepted the sha’d passwords, but cut off the last 10 characters.  This looked normal to me in the database (the sha’d passwords are strings of many seemingly-unrelated characters), so I didn’t realize there was an issue.  Well, not until it came time to log in.  When you log in, a php script compares the username and password you provide with usernames and passwords in the database.  If there is a match, you’ll get logged in.  If not, the login will fail.  My logins kept failing.  The passwords I entered on the login screen were not being truncated, so they didn’t match with those in the database.  After much frustration and printing inputs to the screen, I figured this out.  I then corrected the error by lengthening the password column in the database and all was peachy.  Long story short, you can register and login now! And if you ever have to encode passwords, remember that the length changes.  That is all for now.

Add a comment

ds106 in[SPIRE]