Jump to content

Login system password storage and verification

Hobbyist_PHPer

By Hobbyist_PHPer
in PHP Coding Help

 Share

Recommended Posts

Hobbyist_PHPer Member

Hobbyist_PHPer

Posted
Posted

Hello Everyone...

 

So I've decided to upgrade my current login system that I use for my projects... It uses md5 only ... I've also decided to start using mysqli instead of mysql...

 

I've spent the last few hours pouring through forums and tutorials on the subject of proper hashing and encryption, and honestly am more confused than when I started searching...

 

So I was wondering if I could get some php experts from phpfreaks to give me advice on the method that they feel comfortable with using in their projects... and perhaps a tiny example :)

 

Here's what I had been using...

 

    $Uname = clean($_POST['Username']);
    $Pword = clean($_POST['Password']);
    $Username = strtolower($Uname);
    $Password = md5($Pword);
    
    $result = mysql_query("SELECT * FROM Agents WHERE AgentUsername = '$Username' AND AgentPassword = '$Password'") or die(mysql_error());
    $rowCounter = mysql_num_rows($result);
    if($rowCounter == 1) 
    {
        session_regenerate_id();
        $row = mysql_fetch_assoc($result);
        $_SESSION['AgentID'] = $row['AgentID'];

Hobbyist_PHPer Member

Hobbyist_PHPer

Posted
  • Author
Posted

Thank you for pointing me to that, lots of great information...

 

I only have one question, upon successful login, I need some session variables loaded with their counterpart values from the database, and I don't really understand PHP OOP, I prefer procedural ... Could you help me out with this bit of code?

 

First I'll show you the code that I put together from what I learned from your tutorial...

if (isset($_POST['op']))
{
    session_start();
    require_once '/home/*****/config.php';
    require_once '../includes/functions.php';
    require_once '../includes/PasswordHash.php';
    
    ForceHTTPS();
    
    $db = new mysqli(DBHOST, DBUSER, DBPASS, DBNAME);
    if (mysqli_connect_errno())
            fail('MySQL connect', mysqli_connect_error());
    
    $user = get_post_var('Username');
    /* Sanity-check the username, don't rely on our use of prepared statements
    * alone to prevent attacks on the SQL server via malicious usernames. */
    if (!preg_match('/^[a-zA-Z0-9_]{1,60}$/', $user))
            fail('Invalid username');

    $pass = get_post_var('Password');
    
    /* Don't let them spend more of our CPU time than we were willing to.
    * Besides, bcrypt happens to use the first 72 characters only anyway. */
    if (strlen($pass) > 72)
            fail('The supplied password is too long');

    $op = $_POST['op'];
    if ($op !== 'login')
            fail('Unknown request');
    if ($op === 'login') {
        $hash = '*'; // In case the user is not found
        ($stmt = $db->prepare('SELECT * FROM Agents WHERE AgentUsername=?'))
                || fail('MySQL prepare', $db->error);
        $stmt->bind_param('s', $user)
                || fail('MySQL bind_param', $db->error);
        $stmt->execute()
                || fail('MySQL execute', $db->error);
        $stmt->bind_result($hash)
                || fail('MySQL bind_result', $db->error);
        if (!$stmt->fetch() && $db->errno)
                fail('MySQL fetch', $db->error);

        if ($hasher->CheckPassword($pass, $hash)) {
            //Login Successful
            session_regenerate_id();
            $_SESSION['AgentID'] = $row['AgentID'];
            $_SESSION['AgentLicenseCode'] = $row['AgentLicenseCode'];
            $_SESSION['AgentCompanyName'] = $row['AgentCompanyName'];
            $_SESSION['AgentName'] = $row['AgentName'];
            $_SESSION['AgentState'] = $row['AgentState'];
            session_write_close();
            header("location: index.php");
            exit();
        } else {
            //Login failed
            header("location: login.php?failed");
            exit();
        }
        unset($hasher);
        $stmt->close();
    }
    $db->close();
}

 

So you can probably see where I need the variables set, but I'll repeat that part here...

        if ($hasher->CheckPassword($pass, $hash)) {
            //Login Successful
            session_regenerate_id();
            $_SESSION['AgentID'] = $row['AgentID'];
            $_SESSION['AgentLicenseCode'] = $row['AgentLicenseCode'];
            $_SESSION['AgentCompanyName'] = $row['AgentCompanyName'];
            $_SESSION['AgentName'] = $row['AgentName'];
            $_SESSION['AgentState'] = $row['AgentState'];
            session_write_close();
            header("location: index.php");
            exit();
        }

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.