Jump to content

password does not work it always recognises it as inccorrect even tho its correct


h1234

Recommended Posts

<?php include("config/connect.php");?>

<?php

if(isset($_POST['submit'])){
$username=$_POST['username'];
$password=$_POST['password'];

$username=mysqli_real_escape_string($dbc,$username);

$query="SELECT `password`, `salt` FROM `users` WHERE `username`='$username'";

$result=mysqli_query($dbc,$query);

if(mysqli_num_rows($result)==0)//user not found redirect to home page 
{ 
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
   echo 'your username  and or password is incorrect<br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';
	 
   //header('Location:index.php');
   exit();

}

$userdata=mysqli_fetch_array($result,MYSQL_ASSOC);
$hash=hash('sha256', $userdata['salt'] . hash('sha256',$password));

if($hash != $userdata['password'])// incorrect password.redirect to login form again
{
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
    echo 'password or username combination is incorrect <br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';


   //header('Location:index.php');
   exit();

} 



else{ // redirect to homepage after successfull login
	     echo 'you are logged in';
	     //header('Location:head.php');


}






}//close first if







echo var_dump($dbc);




 
















?>

i think problem could be with the query but i am not sure any ideas ? :/ thanks

Link to comment
Share on other sites

<?php include("config/connect.php");?>

<?php

if(isset($_POST['submit'])){
$username=$_POST['username'];
$password=$_POST['password'];

$username=mysqli_real_escape_string($dbc,$username);

$query="SELECT `password`, `salt` FROM `users` WHERE `username`='$username'";

$result=mysqli_query($dbc,$query);

if(mysqli_num_rows($result)==0)//user not found redirect to home page 
{ 
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
   echo 'your username  and or password is incorrect<br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';
	 
   //header('Location:index.php');
   exit();

}

$userdata=mysqli_fetch_array($result,MYSQL_ASSOC);
$hash=hash('sha256', $userdata['salt'] . hash('sha256',$password));

if($hash != $userdata['password'])// incorrect password.redirect to login form again
{
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
    echo 'password or username combination is incorrect <br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';


   //header('Location:index.php');
   exit();

} 



else{ // redirect to homepage after successfull login
	     echo 'you are logged in';
	     //header('Location:head.php');


}






}//close first if







echo var_dump($dbc);




 
















?>

i think problem could be with the query but i am not sure any ideas ? :/ thanks

 

in the database the password is char(128) and the salt is char(128) as well. 

Link to comment
Share on other sites

$hash=hash('sha256', $userdata['salt'] . hash('sha256',$password));

Is that exactly the same method that you use when you originally encrypt the user's password for storing in the table?

 

i used this method in the signup for the password

function createSalt()
{
    $text = md5(uniqid(rand(), true));
    return substr($text, 0, 3);
}
 // end salt function
$salt = createSalt();
$hash='hash';
$password = hash('sha256', $salt . $hash);

//sanatize data

$username = mysqli_real_escape_string($dbc, $username);
$name = mysqli_real_escape_string($dbc, $surname);
$surname = mysqli_real_escape_string($dbc, $surname);
$email = mysqli_real_escape_string($dbc, $email);

$query ="INSERT INTO `users`( username , name , surname , password, email ,salt) 
VALUES ('$username' , '$password' , '$email' , '$name' ,'$surname' , '$salt') ";

mysqli_query($dbc,$query);
mysqli_close($dbc);







Link to comment
Share on other sites

you need to stop creating new threads for the same problem.

 

did you look at what your registration code is doing or at what data it is inserting when you were testing this?

 

your fields and data are mixed up. you are putting the wrong values into the name , surname , password, and email fields, so of course when you try to use the password value to authenticate the user, it's never to going work because it's actually the $name.

Link to comment
Share on other sites

In addition what mac and Barand said when you are using a sha256 algorithm you should also know of what length field you'll need to store this hashing string in the database. 

 i changed it but still same issues 

 

this is my register.php 

<?php include("config/connect.php");?>





<?php



if(isset($_POST['submit'])){
$username = $_POST['username'];
$name = $_POST['name'];
$surname = $_POST['surname'];
$email = $_POST['email'];
$password = $_POST['password'];
$password_again = $_POST['password_again'];




if($password !== $password_again){
echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt=""> <br/>';
	echo "Your passwords do not match <br/>";
	echo '<a href="index.php">Back to Sign up <br/> </a>';

	exit();
}

if(strlen($username) > 30){
    echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt=""> <br/>';
    echo "Your username is too long <br/>";
	echo '<a href="index.php">Back to Sign up  </a>';

exit();

} if(empty($username) OR empty($name) OR empty($surname) OR empty($email)){

	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt=""> <br/>';
     echo "all the fields marked with * are required<br/>";
	echo '<a href="index.php">Back to Sign up <br/> </a>';
   exit();
}  

$hash=hash('sha256',$password);  

//user exists functions start

function user_exists($username){

	GLOBAL $dbc;

$username = mysqli_real_escape_string($dbc, $username);

$check=mysqli_query($dbc,"SELECT COUNT(`user_id` )FROM `users` WHERE `username` = '$username'");

$qry=mysqli_fetch_array($check);

return ($qry[0]==1)?true:false;


}



//user exists funtion ends


if(user_exists($username)===true){
echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
echo ' this username exists <br/>';
echo '<a href="index.php">Back to Sign up <br/> </a>';
exit();

}  



else { 









  // funtion for salts
 function createSalt()
{
    $text = md5(uniqid(rand(), true));
    return substr($text, 0, 3);
}
 // end salt function
$salt = createSalt();
$password = hash('sha256', $salt . $hash);

//sanatize data

$username = mysqli_real_escape_string($dbc, $username);
$name = mysqli_real_escape_string($dbc, $name);
$surname = mysqli_real_escape_string($dbc, $surname);
$email = mysqli_real_escape_string($dbc, $email);

$query ="INSERT INTO `users`(user_id, username , password , name , surname, email ,salt) 
VALUES ('$user_id','$username' , '$password' , '$name' , '$surname' ,'$email' , '$salt') ";

mysqli_query($dbc,$query);
mysqli_close($dbc);










header('LOCATION:index.php');
exit();


}
} else {
echo "Sorry, registration did not work , try again <br/>";
echo '<a href="index.php">Back to Sign up <br/> </a>';
exit();
}



?>

this is the login.php

<?php include("config/connect.php");?>

<?php

if(isset($_POST['submit'])){
$username=$_POST['username'];
$password=$_POST['password'];

$username=mysqli_real_escape_string($dbc,$username);

$query="SELECT `password`, `salt` FROM `users` WHERE `username`='$username'";

$result=mysqli_query($dbc,$query);

if(mysqli_num_rows($result)==0)//user not found redirect to home page 
{ 
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
   echo 'your username  and or password is incorrect<br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';
	 
   //header('Location:index.php');
   exit();

}

$userdata=mysqli_fetch_array($result,MYSQL_ASSOC);
$hash=hash('sha256', $userdata['salt'] . hash('sha256',$password));

if($hash != $userdata['password'])// incorrect password.redirect to login form again
{
	echo '<img class="logo" src="logo.png" width=" 382"  height="122 " alt="voucher"> <br/>';
    echo 'password or username combination is incorrect <br/>';
   echo '<a href="index.php">Back to Sign up <br/> </a>';


   //header('Location:index.php');
   exit();

} 



else{ // redirect to homepage after successfull login
	     echo 'you are logged in';
	     //header('Location:world.php');



}







}//close first if




echo var_dump(__FILE__, __LINE__, $_REQUEST);


//echo var_dump($dbc);





 
















?>

any ideas it still says incorrect password , does this code look ok?

Link to comment
Share on other sites

You were told the answer in #6 above.

 

Regardless of what password the user posted, you always encrypt the word 'hash'.

 

Also  the method of encrypting when you store it in the database is not the same as the one you are using now to test if they are the same.

 

This is when you store it

$hash='hash';
$password = hash('sha256', $salt . $hash);

This when you check it

$hash=hash('sha256', $userdata['salt'] . hash('sha256',$password));

Read the replies! Otherwise you are just wasting our time.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.