h1234 Posted October 17, 2013 Share Posted October 17, 2013 <?php include("config/connect.php");?> <?php if(isset($_POST['submit'])){ $username=$_POST['username']; $password=$_POST['password']; $username=mysqli_real_escape_string($dbc,$username); $query="SELECT `password`, `salt` FROM `users` WHERE `username`='$username'"; $result=mysqli_query($dbc,$query); if(mysqli_num_rows($result)==0)//user not found redirect to home page { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'your username and or password is incorrect<br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location:index.php'); exit(); } $userdata=mysqli_fetch_array($result,MYSQL_ASSOC); $hash=hash('sha256', $userdata['salt'] . hash('sha256',$password)); if($hash != $userdata['password'])// incorrect password.redirect to login form again { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'password or username combination is incorrect <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location:index.php'); exit(); } else{ // redirect to homepage after successfull login echo 'you are logged in'; //header('Location:head.php'); } }//close first if echo var_dump($dbc); ?> i think problem could be with the query but i am not sure any ideas ? :/ thanks Quote Link to comment Share on other sites More sharing options...
h1234 Posted October 17, 2013 Author Share Posted October 17, 2013 <?php include("config/connect.php");?> <?php if(isset($_POST['submit'])){ $username=$_POST['username']; $password=$_POST['password']; $username=mysqli_real_escape_string($dbc,$username); $query="SELECT `password`, `salt` FROM `users` WHERE `username`='$username'"; $result=mysqli_query($dbc,$query); if(mysqli_num_rows($result)==0)//user not found redirect to home page { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'your username and or password is incorrect<br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location:index.php'); exit(); } $userdata=mysqli_fetch_array($result,MYSQL_ASSOC); $hash=hash('sha256', $userdata['salt'] . hash('sha256',$password)); if($hash != $userdata['password'])// incorrect password.redirect to login form again { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'password or username combination is incorrect <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location:index.php'); exit(); } else{ // redirect to homepage after successfull login echo 'you are logged in'; //header('Location:head.php'); } }//close first if echo var_dump($dbc); ?> i think problem could be with the query but i am not sure any ideas ? :/ thanks in the database the password is char(128) and the salt is char(128) as well. Quote Link to comment Share on other sites More sharing options...
Barand Posted October 17, 2013 Share Posted October 17, 2013 $hash=hash('sha256', $userdata['salt'] . hash('sha256',$password)); Is that exactly the same method that you use when you originally encrypt the user's password for storing in the table? Quote Link to comment Share on other sites More sharing options...
h1234 Posted October 17, 2013 Author Share Posted October 17, 2013 $hash=hash('sha256', $userdata['salt'] . hash('sha256',$password)); Is that exactly the same method that you use when you originally encrypt the user's password for storing in the table? i used this method in the signup for the password function createSalt() { $text = md5(uniqid(rand(), true)); return substr($text, 0, 3); } // end salt function $salt = createSalt(); $hash='hash'; $password = hash('sha256', $salt . $hash); //sanatize data $username = mysqli_real_escape_string($dbc, $username); $name = mysqli_real_escape_string($dbc, $surname); $surname = mysqli_real_escape_string($dbc, $surname); $email = mysqli_real_escape_string($dbc, $email); $query ="INSERT INTO `users`( username , name , surname , password, email ,salt) VALUES ('$username' , '$password' , '$email' , '$name' ,'$surname' , '$salt') "; mysqli_query($dbc,$query); mysqli_close($dbc); Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted October 17, 2013 Share Posted October 17, 2013 you need to stop creating new threads for the same problem. did you look at what your registration code is doing or at what data it is inserting when you were testing this? your fields and data are mixed up. you are putting the wrong values into the name , surname , password, and email fields, so of course when you try to use the password value to authenticate the user, it's never to going work because it's actually the $name. Quote Link to comment Share on other sites More sharing options...
Barand Posted October 17, 2013 Share Posted October 17, 2013 and you expect hash('sha256', $userdata['salt'] . hash('sha256',$password)) to be equal tohash('sha256', $salt . 'hash'); The password you encrypt and store is always 'hash' Quote Link to comment Share on other sites More sharing options...
jazzman1 Posted October 17, 2013 Share Posted October 17, 2013 In addition what mac and Barand said when you are using a sha256 algorithm you should also know of what length field you'll need to store this hashing string in the database. Quote Link to comment Share on other sites More sharing options...
h1234 Posted October 18, 2013 Author Share Posted October 18, 2013 In addition what mac and Barand said when you are using a sha256 algorithm you should also know of what length field you'll need to store this hashing string in the database. i changed it but still same issues this is my register.php <?php include("config/connect.php");?> <?php if(isset($_POST['submit'])){ $username = $_POST['username']; $name = $_POST['name']; $surname = $_POST['surname']; $email = $_POST['email']; $password = $_POST['password']; $password_again = $_POST['password_again']; if($password !== $password_again){ echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt=""> <br/>'; echo "Your passwords do not match <br/>"; echo '<a href="index.php">Back to Sign up <br/> </a>'; exit(); } if(strlen($username) > 30){ echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt=""> <br/>'; echo "Your username is too long <br/>"; echo '<a href="index.php">Back to Sign up </a>'; exit(); } if(empty($username) OR empty($name) OR empty($surname) OR empty($email)){ echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt=""> <br/>'; echo "all the fields marked with * are required<br/>"; echo '<a href="index.php">Back to Sign up <br/> </a>'; exit(); } $hash=hash('sha256',$password); //user exists functions start function user_exists($username){ GLOBAL $dbc; $username = mysqli_real_escape_string($dbc, $username); $check=mysqli_query($dbc,"SELECT COUNT(`user_id` )FROM `users` WHERE `username` = '$username'"); $qry=mysqli_fetch_array($check); return ($qry[0]==1)?true:false; } //user exists funtion ends if(user_exists($username)===true){ echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo ' this username exists <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; exit(); } else { // funtion for salts function createSalt() { $text = md5(uniqid(rand(), true)); return substr($text, 0, 3); } // end salt function $salt = createSalt(); $password = hash('sha256', $salt . $hash); //sanatize data $username = mysqli_real_escape_string($dbc, $username); $name = mysqli_real_escape_string($dbc, $name); $surname = mysqli_real_escape_string($dbc, $surname); $email = mysqli_real_escape_string($dbc, $email); $query ="INSERT INTO `users`(user_id, username , password , name , surname, email ,salt) VALUES ('$user_id','$username' , '$password' , '$name' , '$surname' ,'$email' , '$salt') "; mysqli_query($dbc,$query); mysqli_close($dbc); header('LOCATION:index.php'); exit(); } } else { echo "Sorry, registration did not work , try again <br/>"; echo '<a href="index.php">Back to Sign up <br/> </a>'; exit(); } ?> this is the login.php <?php include("config/connect.php");?> <?php if(isset($_POST['submit'])){ $username=$_POST['username']; $password=$_POST['password']; $username=mysqli_real_escape_string($dbc,$username); $query="SELECT `password`, `salt` FROM `users` WHERE `username`='$username'"; $result=mysqli_query($dbc,$query); if(mysqli_num_rows($result)==0)//user not found redirect to home page { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'your username and or password is incorrect<br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location:index.php'); exit(); } $userdata=mysqli_fetch_array($result,MYSQL_ASSOC); $hash=hash('sha256', $userdata['salt'] . hash('sha256',$password)); if($hash != $userdata['password'])// incorrect password.redirect to login form again { echo '<img class="logo" src="logo.png" width=" 382" height="122 " alt="voucher"> <br/>'; echo 'password or username combination is incorrect <br/>'; echo '<a href="index.php">Back to Sign up <br/> </a>'; //header('Location:index.php'); exit(); } else{ // redirect to homepage after successfull login echo 'you are logged in'; //header('Location:world.php'); } }//close first if echo var_dump(__FILE__, __LINE__, $_REQUEST); //echo var_dump($dbc); ?> any ideas it still says incorrect password , does this code look ok? Quote Link to comment Share on other sites More sharing options...
Barand Posted October 18, 2013 Share Posted October 18, 2013 You were told the answer in #6 above. Regardless of what password the user posted, you always encrypt the word 'hash'. Also the method of encrypting when you store it in the database is not the same as the one you are using now to test if they are the same. This is when you store it $hash='hash'; $password = hash('sha256', $salt . $hash); This when you check it $hash=hash('sha256', $userdata['salt'] . hash('sha256',$password)); Read the replies! Otherwise you are just wasting our time. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.