Jump to content

PHP password encryption not matching info

R0xxy

By R0xxy
in PHP Coding Help

 Share
Go to solution Solved by Jacques1,

Recommended Posts

R0xxy Newbie

R0xxy

Posted
Posted

hi im testing out my site and basically when users register their passwords and encrypted for security obs however when i go to test the login with the exact same password as the one used to register the system detects it as invalid when its not, I've literally copy pasted the password so that i was sure it was the same therefore the issue is within the encryption does anyone have an idea how to overcome this I've tested changed names of variables but nothing seems to help I've even got an error reporting function but no error is detected

<?php
error_reporting(E_ALL);
include_once("conninfo2.php");

if(isset($_POST['username']) && trim($_POST['username']) != ""){
	$username = strip_tags($_POST['username']);
	$password = $_POST['password'];
	$hmac = hash_hmac('sha512', $password, file_get_contents('textfiles/key.txt'));
	$stmt1 = $db->prepare("SELECT usersid, password FROM login WHERE username=:username AND activated='1' LIMIT 1");
	$stmt1->bindValue(':username',$username,PDO::PARAM_STR);
	try{
		$stmt1->execute();
		$count = $stmt1->rowCount();
		if($count > 0){
			while($row = $stmt1->fetch(PDO::FETCH_ASSOC)){
				$uid = $row['usersid'];
				$hash = $row['password'];
			}
			if (crypt($hmac, $hash) === $hash) {
				$db->query("UPDATE login SET lastlog=now() WHERE usersid='$uid' LIMIT 1");
				$_SESSION['uid'] = $uid;
				$_SESSION['username'] = $username;
				$_SESSION['password'] = $hash;
				setcookie("usersid", $uid, strtotime( '+30 days' ), "/", "", "", TRUE);
				setcookie("username", $username, strtotime( '+30 days' ), "/", "", "", TRUE);
    				setcookie("password", $hash, strtotime( '+30 days' ), "/", "", "", TRUE); 
				 echo 'Valid password<br />'.$_SESSION['uid'].'<br />'.$_SESSION['username'].'<br />'.$_SESSION['password'].'
				<br />'.$_COOKIE['usersid']; 
				/*header("location: index.php");*/
				exit();
			} else {
				echo 'Invalid password Press back and try again<br />';
				exit();
			}
		}
		else{
			echo "A user with that email address does not exist here";
			$db = null;
			exit();
		}
	}
	catch(PDOException $e){
		echo $e->getMessage();
		$db = null;
		exit();
	}
}
?>
Link to comment
Share on other sites
  • Solution
Jacques1 Prolific Member

Jacques1

Posted
  • Solution
Posted (edited)

Hi,

 

the code doesn't make much sense and is downright dangerous.

 

Why on earth do you store the password hash in a cookie? The password must be protected, not thrown around. Your HMAC is far too long for the bcrypt algorithm (which I hope you're using). There's no error checking whatsoever. If crypt() returns an error string, you happily accept that as a valid hash.

 

I strongly, strongly recommend that you keep away from home-made security and low-level functions like crypt(). This function in particular is a monster. I'm sure you've made plenty of mistakes when generating the original hash.

 

If you have PHP 5.5, use the new password hashing API. If you don't have PHP 5.5 but at least 5.3.7, use the password_compat library. Do not try to implement this on your own. Your chance of success is very, very low.

Edited by Jacques1
Link to comment
Share on other sites
R0xxy Newbie

R0xxy

Posted
  • Author
Posted (edited)

i understand were your coming from but were covering elements in class i just can't figure out why the user log gin in always receives an error message saying incorrect password when in fact it is correct I've run the queries within my db and i receive results so why is it that they can't login to the system?

<?php
include_once("conninfo2.php");

if(isset($_POST['email']) && trim($_POST['email']) != ""){
    $email = strip_tags($_POST['email']);
    $password = $_POST['password'];
    $hmac = hash_hmac('sha512', $password, file_get_contents('textfiles/key.txt'));
    $stmt1 = $db->prepare("SELECT usersid, username, password FROM login WHERE email=:email AND activated='1' LIMIT 1");
    $stmt1->bindValue(':email',$email,PDO::PARAM_STR);
    try{
        $stmt1->execute();
        $count = $stmt1->rowCount();
        if($count > 0){
            while($row = $stmt1->fetch(PDO::FETCH_ASSOC)){
                $uid = $row['usersid'];
                $username = $row['username'];
                $hash = $row['password'];
            }
            if (crypt($hmac, $hash) === $hash) {
                $db->query("UPDATE login SET lastlog=now() WHERE usersid='$uid' LIMIT 1");
                $_SESSION['uid'] = $uid;
                $_SESSION['username'] = $username;
                $_SESSION['password'] = $hash;
                setcookie("usersid", $uid, strtotime( '+30 days' ), "/", "", "", TRUE);
                setcookie("username", $username, strtotime( '+30 days' ), "/", "", "", TRUE);
                    setcookie("password", $hash, strtotime( '+30 days' ), "/", "", "", TRUE);
                header("location: index.php");
                exit();
                }
                else
                {
                echo 'Invalid password Press back and try again<br />';
                exit();
            }
        }
        else
        {
            echo "A user with that email address does not exist here";
            $db = null;
            exit();
        }
    }
    catch(PDOException $e){
        echo $e->getMessage();
        $db = null;
        exit();
    }
}            
?>
Edited by mac_gyver
Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

I just told you that the whole password code is broken.

 

You have two options now: You can keep messing with the broken code and waste some more days in the hopes to somehow get it working – this may or may not happen. Or you can simply replace all the bad stuff with a single function call which will work.

 

It's up to you.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.