devilsvein Posted November 25, 2012 Share Posted November 25, 2012 hi guys, i've been having some issues with authenticating a person who logs into my website. I'm using crypt to hash the password from when they register with no salt defined. the code i've used on my login page is this if( $page_mode == 'Login' ) { require "globe.php"; //simple post from below $username = htmlentities(trim($_POST['username'])); $username = mysqli_real_escape_string($mysqli, $username); $password = trim($_POST['password']); $query = mysqli_query($mysqli, "SELECT * FROM Persons WHERE Username = '$username'"); $row = mysqli_fetch_assoc($query); $numrows = mysqli_num_rows($query); $dbuser = $row['Username']; $dbpass = $row['Password']; $hashed_password = crypt($password, $dbpass); if( ($username == '') || ($password == '') ) { $error_string .= '<font color=red>You have left either the username or password field blank!</font>'; } else if ($numrows == 1) { if ($dbuser == $username) { if ($hashed_password == $password) { $error_string .= '<font color=red>Details checked out</font>'; } else { $error_string .= '<font color=red>No username can be found! (1)</font>'; } } } else { $error_string .= '<font color=red>No username can be found! (2)</font>'; } } everything is fine until it gets to the if statement where it checks the hashed password agaist the user inputted password ($password). it always seems to fail. I've been at this for days now and its really starting to annoy me. Would be so grateful if someone could suggest a solution. Link to comment https://forums.phpfreaks.com/topic/271162-some-login-validation-issues-with-crypt/ Share on other sites More sharing options...
Pikachu2000 Posted November 25, 2012 Share Posted November 25, 2012 If you didn't use a salt when you stored the password, why are you using one when you compare it to the value in the DB? Link to comment https://forums.phpfreaks.com/topic/271162-some-login-validation-issues-with-crypt/#findComment-1395041 Share on other sites More sharing options...
devilsvein Posted November 25, 2012 Author Share Posted November 25, 2012 made a change on my orginal script: instead of if ($password == $hashed_password) i used if ($hashed_password == $dbpass) @pikachu well the password in the database is being hashed up i believe. its not the same password that was inputted. in my register page when the table updates, the user password goes through crypt($password); so how would i fix this in login then? because i can't just do if ($password == $dbpass) ones hashed, the others not Link to comment https://forums.phpfreaks.com/topic/271162-some-login-validation-issues-with-crypt/#findComment-1395043 Share on other sites More sharing options...
MDCode Posted November 25, 2012 Share Posted November 25, 2012 Why not hash both? Link to comment https://forums.phpfreaks.com/topic/271162-some-login-validation-issues-with-crypt/#findComment-1395046 Share on other sites More sharing options...
devilsvein Posted November 25, 2012 Author Share Posted November 25, 2012 how? i thought i did so with $hashed_password = crypt($password, $dbpass); sorry for this issue, like first month into php Link to comment https://forums.phpfreaks.com/topic/271162-some-login-validation-issues-with-crypt/#findComment-1395047 Share on other sites More sharing options...
Pikachu2000 Posted November 25, 2012 Share Posted November 25, 2012 You need to use the exact same hashing method on the value from the login form that you used when the user registered in order to be able to compare the values. Link to comment https://forums.phpfreaks.com/topic/271162-some-login-validation-issues-with-crypt/#findComment-1395048 Share on other sites More sharing options...
devilsvein Posted November 25, 2012 Author Share Posted November 25, 2012 the code from register is, $hashed_password = crypt('pass1'); so for login instead of it being... $hashed_password = crypt($password, $dbpass); it should be $hashed_password = crypt($password); Link to comment https://forums.phpfreaks.com/topic/271162-some-login-validation-issues-with-crypt/#findComment-1395050 Share on other sites More sharing options...
PFMaBiSmAd Posted November 26, 2012 Share Posted November 26, 2012 The following should have worked - if ($hashed_password == $dbpass) If not, slow down and troubleshoot what your code and data are doing. Echo both of those values. Are they they completely different? Are they different lengths (i.e. $dbpass being shorter because your database table column isn't long enough to hold the value)? Link to comment https://forums.phpfreaks.com/topic/271162-some-login-validation-issues-with-crypt/#findComment-1395066 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.