Search the Community

Hi, Im creating a simple site in PHP, for the most part its going well, however I struggling with an error that I have encountered. Im generating a random salt upon registering a user. This works fine, However when logging in with this user I am struggling and receive an error. Can somebody please explain where I am going wrong? I have attatched some images to this post which includes coding and the error message. NOTE: signup works fine, it is just the log-in which is broken. I have however included screenshots of both pages for better understanding of how the site works. Signup: http://picpaste.com/pics/SignUp-gZnFffux.1416827271.PNG Log-in: http://picpaste.com/pics/log-in-gB895EyW.1416827394.PNG Error Message: http://picpaste.com/pics/error-pic-JwV9iLp8.1416827510.PNG Kind Regards, Shaun

I'll start by apologizing for the stupid decision that led to this question. A few years ago, I created a PHP/Myysql site with a login system and I created a field in the MySQL called "password" and it stored literally the exact password people entered (I know, I know). The site has proven to have nice traffic potential, so I am going to re-vamp everything, including storing passwords properly (i.e. hashed). My first question... Is there a way to convert regular text passwords to hashed passwords? For example, I could create a new field in the "User" table for "hashedpassword" and write a script that takes all the insecure passwords and turns them into hashed passwords. Then deleted the previous "bad" password field from the database. This would allow me to do it without the customer every knowing anything changed. Quick googling appears to support that it IS doable rather easily, with something like... UPDATE mytable SET password = MD5(password) If not, I guess I would have to create a thing where the first time omeone logged in after I put hashing in place, the site would force them to change their password. I'd rather not annoy the visitors if it all possible. Second question, what is the proper/recommended hashing method to use? Some people seem to poo-poo MD5. If you agree, should I use: MD5 SHA MD5 with a salt SHA with a salt Something else i never heard of NOTE: My site is a fantasy sports site, so the data involved is not overly important. Maybe a salt is overkill? Or is being overly safe never a bad thing? Lastly, don't need to address this, but if anyone can explain it like I'm 5 that would be great because i must be missing something... if you can easily turn a regular password into a hashed password, couldn't hackers easily do the reverse, which would render the hashing almost useless? I get that salting helps, but before salting (i.e. doing ONLY MD5), I don't see how hashing helped that much (if you could reverese figure out the password). What am I missing? Thanks! Greg

Hi, I've got some issues with my salting when I register... basically everything works fine apart from the salting and I can't get my head around it? Here's my php register function: public function register() { $correct = false; try { $con = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD ); $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION ); $sql = "INSERT INTO list_members(username, email, password) VALUES(:username, :email, :password)"; $stmt = $con->prepare( $sql ); $stmt->bindValue( "username", $this->username, PDO::PARAM_STR ); $stmt->bindValue( "email", $this->email, PDO::PARAM_STR ); $stmt->bindValue( "password", hash("sha256", $this->password . $this->salt), PDO::PARAM_STR ); $stmt->execute(); return header('Location: index.html'); }catch( PDOException $e ) { return $e->getMessage(); } } And then I have my public variables displayed like this: public $username = null; public $email = null; public $password = null; public $salt = "Zo4rU5Z1YyKJAASY0PT6EUg7BBYdlEhPaNLuxAwU8lqu1ElzHv0Ri7EM6irpx5w"; Help would be much appreciated.

I'm trying to formulate this simple registration.. http://tinsology.net/2009/06/creating-a-secure-login-system-the-right-way/ I have db connected but no inserts. I think the fault is in the hash and salt function. Im not sure where to to put the line '$hash = hash('sha256', $pass1);' (currently in register.php) and I have the salt function in includes/functions.php. Scroll to bottom.. table is members.. and I have sha512.js is in js/sha512.js Any help suggestions appreciated.. register.php <?php include 'includes/db_connect.php'; include 'includes/functions.php'; $username = $_POST['username']; $pass1 = $_POST['pass1']; $pass2 = $_POST['pass2']; if($pass1 != $pass2) header('Location: register_form.php'); if(strlen($username) > 30) header('Location: register_form.php'); } $hash = hash('sha256', $pass1); $username = mysql_real_escape_string($username); $query = "INSERT INTO members ( username, password, salt ) VALUES ( '$username' , '$hash' , '$salt' );"; mysql_query($query); mysql_close(); ?> functions <?php function sec_session_start() { $session_name = 'sec_session_id'; // Set a custom session name $secure = true; // Set to true if using https. $httponly = true; // This stops javascript being able to access the session id. ini_set('session.use_only_cookies', 1); // Forces sessions to only use cookies. $cookieParams = session_get_cookie_params(); // Gets current cookies params. session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly); session_name($session_name); // Sets the session name to the one set above. session_start(); // Start the php session session_regenerate_id(true); // regenerated the session, delete the old one. } function login($email, $password, $mysqli) { // Using prepared Statements means that SQL injection is not possible. if ($stmt = $mysqli->prepare("SELECT id, username, password, salt FROM members WHERE email = ? LIMIT 1")) { $stmt->bind_param('s', $email); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); $stmt->bind_result($user_id, $username, $db_password, $salt); // get variables from result. $stmt->fetch(); $password = hash('sha512', $password.$salt); // hash the password with the unique salt. if($stmt->num_rows == 1) { // If the user exists // We check if the account is locked from too many login attempts if(checkbrute($user_id, $mysqli) == true) { // Account is locked // Send an email to user saying their account is locked return false; } else { if($db_password == $password) { // Check if the password in the database matches the password the user submitted. // Password is correct! $user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user. $user_id = preg_replace("/[^0-9]+/", "", $user_id); // XSS protection as we might print this value $_SESSION['user_id'] = $user_id; $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); // XSS protection as we might print this value $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password.$user_browser); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database $now = time(); $mysqli->query("INSERT INTO login_attempts (user_id, time) VALUES ('$user_id', '$now')"); return false; } } } else { // No user exists. return false; } } } function login_check($mysqli) { // Check if all session variables are set if(isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string'])) { $user_id = $_SESSION['user_id']; $login_string = $_SESSION['login_string']; $username = $_SESSION['username']; $user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user. if ($stmt = $mysqli->prepare("SELECT password FROM members WHERE id = ? LIMIT 1")) { $stmt->bind_param('i', $user_id); // Bind "$user_id" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); if($stmt->num_rows == 1) { // If the user exists $stmt->bind_result($password); // get variables from result. $stmt->fetch(); $login_check = hash('sha512', $password.$user_browser); if($login_check == $login_string) { // Logged In!!!! return true; } else { // Not logged in return false; } } else { // Not logged in return false; } } else { // Not logged in return false; } } else { // Not logged in return false; } } function checkbrute($user_id, $mysqli) { // Get timestamp of current time $now = time(); // All login attempts are counted from the past 2 hours. $valid_attempts = $now - (2 * 60 * 60); if ($stmt = $mysqli->prepare("SELECT time FROM login_attempts WHERE user_id = ? AND time > '$valid_attempts'")) { $stmt->bind_param('i', $user_id); // Execute the prepared query. $stmt->execute(); $stmt->store_result(); // If there has been more than 5 failed logins if($stmt->num_rows > 5) { return true; } else { return false; } } } //creates a 3 character sequence function createSalt() { $string = md5(uniqid(rand(), true)); return substr($string, 0, 3); } $salt = createSalt(); $hash = hash('sha256', $salt . $hash); ?>

Hi, recently I've created a login form and I've used the salt method (which I've not really used before) and everything is working great apart from the login. Basically what happens is I can login with any password. So if my password was 'hello1234' and I put 'fndsjnmfosd' it would state that as correct; try it yourself at www.harvy.info Sign up and then try to login, you'll see that you can enter any password and it'll see that as correct. Thanks. Login proccess (What happens when you try to login) <?php include 'dbConfig.php'; include 'functions.php'; sec_session_start(); if(isset($_POST['email'], $_POST['p'])) { $email = $_POST['email']; $password = $_POST['p']; if(login($email, $password, $mysqli) == true) { header('Location: member.php?id='); } else { header('Location: login.php?error=1'); } } else { echo 'Invalid Request'; } ?>

I know this is a really basic question, but I'm still a real php noob. I want to move $salt to the config.php file, but I'm not sure how to call the variable correctly so the page can use it. I tried this: require_once('config.php); $salt = loadSaltFromConfig(); I'm assuming that I need to declare loadSaltFromConfig somewhere, but I'm not quite sure what that would need to be.