password does not work it always recognises it as inccorrect even tho its correct

[h1234]

<?php include("config/connect.php");?>

<?php

if(isset($_POST['submit'])){
$username=$_POST['username'];
$password=$_POST['password'];

$username=mysqli_real_escape_string($dbc,$username);

$query="SELECT `password`, `salt` FROM `users` WHERE `username`='$username'";

$result=mysqli_query($dbc,$query);

if(mysqli_num_rows($result)==0)//user not found redirect to home page 
{ 
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
   echo 'your username  and or password is incorrect<br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';
	 
   //header('Location:index.php');
   exit();

}

$userdata=mysqli_fetch_array($result,MYSQL_ASSOC);
$hash=hash('sha256', $userdata['salt'] . hash('sha256',$password));

if($hash != $userdata['password'])// incorrect password.redirect to login form again
{
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
    echo 'password or username combination is incorrect <br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';


   //header('Location:index.php');
   exit();

} 



else{ // redirect to homepage after successfull login
	     echo 'you are logged in';
	     //header('Location:head.php');


}






}//close first if







echo var_dump($dbc);




 
















?>

i think problem could be with the query but i am not sure any ideas ? :/ thanks

[h1234]

<?php include("config/connect.php");?>

<?php

if(isset($_POST['submit'])){
$username=$_POST['username'];
$password=$_POST['password'];

$username=mysqli_real_escape_string($dbc,$username);

$query="SELECT `password`, `salt` FROM `users` WHERE `username`='$username'";

$result=mysqli_query($dbc,$query);

if(mysqli_num_rows($result)==0)//user not found redirect to home page 
{ 
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
   echo 'your username  and or password is incorrect<br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';
	 
   //header('Location:index.php');
   exit();

}

$userdata=mysqli_fetch_array($result,MYSQL_ASSOC);
$hash=hash('sha256', $userdata['salt'] . hash('sha256',$password));

if($hash != $userdata['password'])// incorrect password.redirect to login form again
{
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
    echo 'password or username combination is incorrect <br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';


   //header('Location:index.php');
   exit();

} 



else{ // redirect to homepage after successfull login
	     echo 'you are logged in';
	     //header('Location:head.php');


}






}//close first if







echo var_dump($dbc);




 
















?>

i think problem could be with the query but i am not sure any ideas ? :/ thanks

 

in the database the password is char(128) and the salt is char(128) as well. 

[Barand]

$hash=hash('sha256', $userdata['salt'] . hash('sha256',$password));

Is that exactly the same method that you use when you originally encrypt the user's password for storing in the table?

[h1234]

$hash=hash('sha256', $userdata['salt'] . hash('sha256',$password));

Is that exactly the same method that you use when you originally encrypt the user's password for storing in the table?

 

i used this method in the signup for the password

function createSalt()
{
    $text = md5(uniqid(rand(), true));
    return substr($text, 0, 3);
}
 // end salt function
$salt = createSalt();
$hash='hash';
$password = hash('sha256', $salt . $hash);

//sanatize data

$username = mysqli_real_escape_string($dbc, $username);
$name = mysqli_real_escape_string($dbc, $surname);
$surname = mysqli_real_escape_string($dbc, $surname);
$email = mysqli_real_escape_string($dbc, $email);

$query ="INSERT INTO `users`( username , name , surname , password, email ,salt) 
VALUES ('$username' , '$password' , '$email' , '$name' ,'$surname' , '$salt') ";

mysqli_query($dbc,$query);
mysqli_close($dbc);

[mac_gyver]

you need to stop creating new threads for the same problem.

 

did you look at what your registration code is doing or at what data it is inserting when you were testing this?

 

your fields and data are mixed up. you are putting the wrong values into the name , surname , password, and email fields, so of course when you try to use the password value to authenticate the user, it's never to going work because it's actually the $name.

[Barand]

and you expect

hash('sha256', $userdata['salt'] . hash('sha256',$password))

to be equal to

hash('sha256', $salt . 'hash');

 

The password you encrypt and store is always 'hash'

[jazzman1]

In addition what mac and Barand said when you are using a sha256 algorithm you should also know of what length field you'll need to store this hashing string in the database. 

[h1234]

In addition what mac and Barand said when you are using a sha256 algorithm you should also know of what length field you'll need to store this hashing string in the database. 

 i changed it but still same issues 

 

this is my register.php 

<?php include("config/connect.php");?>





<?php



if(isset($_POST['submit'])){
$username = $_POST['username'];
$name = $_POST['name'];
$surname = $_POST['surname'];
$email = $_POST['email'];
$password = $_POST['password'];
$password_again = $_POST['password_again'];




if($password !== $password_again){
echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt=""> <br/>';
	echo "Your passwords do not match <br/>";
	echo '<a href="index.php">Back to Sign up <br/> </a>';

	exit();
}

if(strlen($username) > 30){
    echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt=""> <br/>';
    echo "Your username is too long <br/>";
	echo '<a href="index.php">Back to Sign up  </a>';

exit();

} if(empty($username) OR empty($name) OR empty($surname) OR empty($email)){

	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt=""> <br/>';
     echo "all the fields marked with * are required<br/>";
	echo '<a href="index.php">Back to Sign up <br/> </a>';
   exit();
}  

$hash=hash('sha256',$password);  

//user exists functions start

function user_exists($username){

	GLOBAL $dbc;

$username = mysqli_real_escape_string($dbc, $username);

$check=mysqli_query($dbc,"SELECT COUNT(`user_id` )FROM `users` WHERE `username` = '$username'");

$qry=mysqli_fetch_array($check);

return ($qry[0]==1)?true:false;


}



//user exists funtion ends


if(user_exists($username)===true){
echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
echo ' this username exists <br/>';
echo '<a href="index.php">Back to Sign up <br/> </a>';
exit();

}  



else { 









  // funtion for salts
 function createSalt()
{
    $text = md5(uniqid(rand(), true));
    return substr($text, 0, 3);
}
 // end salt function
$salt = createSalt();
$password = hash('sha256', $salt . $hash);

//sanatize data

$username = mysqli_real_escape_string($dbc, $username);
$name = mysqli_real_escape_string($dbc, $name);
$surname = mysqli_real_escape_string($dbc, $surname);
$email = mysqli_real_escape_string($dbc, $email);

$query ="INSERT INTO `users`(user_id, username , password , name , surname, email ,salt) 
VALUES ('$user_id','$username' , '$password' , '$name' , '$surname' ,'$email' , '$salt') ";

mysqli_query($dbc,$query);
mysqli_close($dbc);










header('LOCATION:index.php');
exit();


}
} else {
echo "Sorry, registration did not work , try again <br/>";
echo '<a href="index.php">Back to Sign up <br/> </a>';
exit();
}



?>

this is the login.php

<?php include("config/connect.php");?>

<?php

if(isset($_POST['submit'])){
$username=$_POST['username'];
$password=$_POST['password'];

$username=mysqli_real_escape_string($dbc,$username);

$query="SELECT `password`, `salt` FROM `users` WHERE `username`='$username'";

$result=mysqli_query($dbc,$query);

if(mysqli_num_rows($result)==0)//user not found redirect to home page 
{ 
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
   echo 'your username  and or password is incorrect<br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';
	 
   //header('Location:index.php');
   exit();

}

$userdata=mysqli_fetch_array($result,MYSQL_ASSOC);
$hash=hash('sha256', $userdata['salt'] . hash('sha256',$password));

if($hash != $userdata['password'])// incorrect password.redirect to login form again
{
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
    echo 'password or username combination is incorrect <br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';


   //header('Location:index.php');
   exit();

} 



else{ // redirect to homepage after successfull login
	     echo 'you are logged in';
	     //header('Location:world.php');



}







}//close first if




echo var_dump(__FILE__, __LINE__, $_REQUEST);


//echo var_dump($dbc);





 
















?>

any ideas it still says incorrect password , does this code look ok?

[Barand]

You were told the answer in #6 above.

 

Regardless of what password the user posted, you always encrypt the word 'hash'.

 

Also  the method of encrypting when you store it in the database is not the same as the one you are using now to test if they are the same.

 

This is when you store it

$hash='hash';
$password = hash('sha256', $salt . $hash);

This when you check it

$hash=hash('sha256', $userdata['salt'] . hash('sha256',$password));

Read the replies! Otherwise you are just wasting our time.