Jump to content

Login system password storage and verification


Hobbyist_PHPer

Recommended Posts

Hello Everyone...

 

So I've decided to upgrade my current login system that I use for my projects... It uses md5 only ... I've also decided to start using mysqli instead of mysql...

 

I've spent the last few hours pouring through forums and tutorials on the subject of proper hashing and encryption, and honestly am more confused than when I started searching...

 

So I was wondering if I could get some php experts from phpfreaks to give me advice on the method that they feel comfortable with using in their projects... and perhaps a tiny example :)

 

Here's what I had been using...

 

    $Uname = clean($_POST['Username']);
    $Pword = clean($_POST['Password']);
    $Username = strtolower($Uname);
    $Password = md5($Pword);
    
    $result = mysql_query("SELECT * FROM Agents WHERE AgentUsername = '$Username' AND AgentPassword = '$Password'") or die(mysql_error());
    $rowCounter = mysql_num_rows($result);
    if($rowCounter == 1) 
    {
        session_regenerate_id();
        $row = mysql_fetch_assoc($result);
        $_SESSION['AgentID'] = $row['AgentID'];

Link to comment
Share on other sites

Thank you for pointing me to that, lots of great information...

 

I only have one question, upon successful login, I need some session variables loaded with their counterpart values from the database, and I don't really understand PHP OOP, I prefer procedural ... Could you help me out with this bit of code?

 

First I'll show you the code that I put together from what I learned from your tutorial...

if (isset($_POST['op']))
{
    session_start();
    require_once '/home/*****/config.php';
    require_once '../includes/functions.php';
    require_once '../includes/PasswordHash.php';
    
    ForceHTTPS();
    
    $db = new mysqli(DBHOST, DBUSER, DBPASS, DBNAME);
    if (mysqli_connect_errno())
            fail('MySQL connect', mysqli_connect_error());
    
    $user = get_post_var('Username');
    /* Sanity-check the username, don't rely on our use of prepared statements
    * alone to prevent attacks on the SQL server via malicious usernames. */
    if (!preg_match('/^[a-zA-Z0-9_]{1,60}$/', $user))
            fail('Invalid username');

    $pass = get_post_var('Password');
    
    /* Don't let them spend more of our CPU time than we were willing to.
    * Besides, bcrypt happens to use the first 72 characters only anyway. */
    if (strlen($pass) > 72)
            fail('The supplied password is too long');

    $op = $_POST['op'];
    if ($op !== 'login')
            fail('Unknown request');
    if ($op === 'login') {
        $hash = '*'; // In case the user is not found
        ($stmt = $db->prepare('SELECT * FROM Agents WHERE AgentUsername=?'))
                || fail('MySQL prepare', $db->error);
        $stmt->bind_param('s', $user)
                || fail('MySQL bind_param', $db->error);
        $stmt->execute()
                || fail('MySQL execute', $db->error);
        $stmt->bind_result($hash)
                || fail('MySQL bind_result', $db->error);
        if (!$stmt->fetch() && $db->errno)
                fail('MySQL fetch', $db->error);

        if ($hasher->CheckPassword($pass, $hash)) {
            //Login Successful
            session_regenerate_id();
            $_SESSION['AgentID'] = $row['AgentID'];
            $_SESSION['AgentLicenseCode'] = $row['AgentLicenseCode'];
            $_SESSION['AgentCompanyName'] = $row['AgentCompanyName'];
            $_SESSION['AgentName'] = $row['AgentName'];
            $_SESSION['AgentState'] = $row['AgentState'];
            session_write_close();
            header("location: index.php");
            exit();
        } else {
            //Login failed
            header("location: login.php?failed");
            exit();
        }
        unset($hasher);
        $stmt->close();
    }
    $db->close();
}

 

So you can probably see where I need the variables set, but I'll repeat that part here...

        if ($hasher->CheckPassword($pass, $hash)) {
            //Login Successful
            session_regenerate_id();
            $_SESSION['AgentID'] = $row['AgentID'];
            $_SESSION['AgentLicenseCode'] = $row['AgentLicenseCode'];
            $_SESSION['AgentCompanyName'] = $row['AgentCompanyName'];
            $_SESSION['AgentName'] = $row['AgentName'];
            $_SESSION['AgentState'] = $row['AgentState'];
            session_write_close();
            header("location: index.php");
            exit();
        }

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.