How do I modify salt with android API for webservice development...

Question

1.00/5 (1 vote)

See more:

Modifying salt with android API for webservice development

I am using codes from a tutorial to create API for android login but the hashing on the system I really want to develop from is different, how can I change to fit my database?

PHP

<?php
class DB_Functions {

private $conn;

// constructor
function __construct() {
    require_once 'DB_Connect.php';
    // connecting to database
    $db = new Db_Connect();
    $this->conn = $db->connect();
}

// destructor
function __destruct() {

}

/**
 * Storing new user
 * returns user details
 */
public function storeUser($name, $email, $password) {
    $uuid = uniqid('', true);
    $hash = $this->hashSSHA($password);
    $encrypted_password = $hash["encrypted"]; // encrypted password
    $salt = $hash["salt"]; // salt

    $stmt = $this->conn->prepare("INSERT INTO users(unique_id, name, email, encrypted_password, salt, created_at) VALUES(?, ?, ?, ?, ?, NOW())");
    $stmt->bind_param("sssss", $uuid, $name, $email, $encrypted_password, $salt);
    $result = $stmt->execute();
    $stmt->close();

    // check for successful store
    if ($result) {
        $stmt = $this->conn->prepare("SELECT * FROM users WHERE email = ?");
        $stmt->bind_param("s", $email);
        $stmt->execute();
        $user = $stmt->get_result()->fetch_assoc();
        $stmt->close();

        return $user;
    } else {
        return false;
    }
}

/**
 * Get user by email and password
 */
public function getUserByEmailAndPassword($email, $password) {

    $stmt = $this->conn->prepare("SELECT * FROM users WHERE email = ?");

    $stmt->bind_param("s", $email);

    if ($stmt->execute()) {
        $user = $stmt->get_result()->fetch_assoc();
        $stmt->close();

        // verifying user password
        $salt = $user['salt'];
        $encrypted_password = $user['encrypted_password'];
        $hash = $this->checkhashSSHA($salt, $password);
        // check for password equality
        if ($encrypted_password == $hash) {
            // user authentication details are correct
            return $user;
        }
    } else {
        return NULL;
    }
}

/**
 * Check user is existed or not
 */
public function isUserExisted($email) {
    $stmt = $this->conn->prepare("SELECT email from users WHERE email = ?");

    $stmt->bind_param("s", $email);

    $stmt->execute();

    $stmt->store_result();

    if ($stmt->num_rows > 0) {
        // user existed 
        $stmt->close();
        return true;
    } else {
        // user not existed
        $stmt->close();
        return false;
    }
}

/**
 * Encrypting password
 * @param password
 * returns salt and encrypted password
 */
public function hashSSHA($password) {

    $salt = sha1(rand());
    $salt = substr($salt, 0, 10);
    $encrypted = base64_encode(sha1($password . $salt, true) . $salt);
    $hash = array("salt" => $salt, "encrypted" => $encrypted);
    return $hash;
}

/**
 * Decrypting password
 * @param salt, password
 * returns hash string
 */
public function checkhashSSHA($salt, $password) {

    $hash = base64_encode(sha1($password . $salt, true) . $salt);

    return $hash;
}
}

?>

Codes I want to modify to fit tutorials explanation:

<pre lang="PHP">else {
        $passwordTest=false ;
        //If strong password exists
        $salt=$row["passwordStrongSalt"] ;
        $passwordStrong=$row["passwordStrong"] ;
        if ($passwordStrong!="" AND $salt!="") {
            if (hash("sha256", $row["passwordStrongSalt"].$password)==$row["passwordStrong"]) {
                $passwordTest=true ;
            }
        }
        //If only weak password exists
        else if ($row["password"]!="") {
            if ($row["password"]==md5($password)) {
                $passwordTest=true ;

                //Migrate to strong password
                $salt=getSalt() ;
                $passwordStrong=hash("sha256", $salt.$password) ;

                try {
                    $dataSecure=array("passwordStrong"=> $passwordStrong, "passwordStrongSalt"=> $salt, "username"=> $username ); 
                    $sqlSecure="UPDATE gibbonPerson SET password='', passwordStrong=:passwordStrong, passwordStrongSalt=:passwordStrongSalt WHERE (username=:username)";
                    $resultSecure=$connection2->prepare($sqlSecure);
                    $resultSecure->execute($dataSecure); 
                }
                catch(PDOException $e) { 
                    $passwordTest=false ; 
                }
            }

What I have tried:

To replace the hash statement but the api is not working. Is there a better way?

Posted 19-Apr-16 23:37pm

Member 12472742

Add a Solution

Comments

Richard MacCutchan 20-Apr-16 8:18am

How is this anything to do with Android? All I can see is PHP code.

Member 12472742 20-Apr-16 8:46am

That PHP code is what the android app will be using to request information from the server.

Richard MacCutchan 20-Apr-16 8:49am

You need to edit your question and explain your problem better.

Member 12472742 20-Apr-16 8:57am

Ok, the codes that were given use a different password hashing than the one I want to use. So the second part of the codes have the hashing that I need to modify the first one.

Richard MacCutchan 20-Apr-16 9:46am

The initial code does not make proper sense. It has two sections to generate the hash, one titled Encrypting password, and one titled Decrypting password. Passwords should never use encryption, only hashing. And you only need one method which takes the raw text and the salt value and returns the hash. That hash value is what should get stored in the database, along with the salt. Alaric Dailey has written an excellent article that explains it clearly: http://www.codeproject.com/Articles/54164/Secure-Password-Authentication-Explained-Simply.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)