PHP password encryption not matching info

R0xxy · May 14, 2014

hi im testing out my site and basically when users register their passwords and encrypted for security obs however when i go to test the login with the exact same password as the one used to register the system detects it as invalid when its not, I've literally copy pasted the password so that i was sure it was the same therefore the issue is within the encryption does anyone have an idea how to overcome this I've tested changed names of variables but nothing seems to help I've even got an error reporting function but no error is detected

<?php
error_reporting(E_ALL);
include_once("conninfo2.php");

if(isset($_POST['username']) && trim($_POST['username']) != ""){
	$username = strip_tags($_POST['username']);
	$password = $_POST['password'];
	$hmac = hash_hmac('sha512', $password, file_get_contents('textfiles/key.txt'));
	$stmt1 = $db->prepare("SELECT usersid, password FROM login WHERE username=:username AND activated='1' LIMIT 1");
	$stmt1->bindValue(':username',$username,PDO::PARAM_STR);
	try{
		$stmt1->execute();
		$count = $stmt1->rowCount();
		if($count > 0){
			while($row = $stmt1->fetch(PDO::FETCH_ASSOC)){
				$uid = $row['usersid'];
				$hash = $row['password'];
			}
			if (crypt($hmac, $hash) === $hash) {
				$db->query("UPDATE login SET lastlog=now() WHERE usersid='$uid' LIMIT 1");
				$_SESSION['uid'] = $uid;
				$_SESSION['username'] = $username;
				$_SESSION['password'] = $hash;
				setcookie("usersid", $uid, strtotime( '+30 days' ), "/", "", "", TRUE);
				setcookie("username", $username, strtotime( '+30 days' ), "/", "", "", TRUE);
    				setcookie("password", $hash, strtotime( '+30 days' ), "/", "", "", TRUE); 
				 echo 'Valid password<br />'.$_SESSION['uid'].'<br />'.$_SESSION['username'].'<br />'.$_SESSION['password'].'
				<br />'.$_COOKIE['usersid']; 
				/*header("location: index.php");*/
				exit();
			} else {
				echo 'Invalid password Press back and try again<br />';
				exit();
			}
		}
		else{
			echo "A user with that email address does not exist here";
			$db = null;
			exit();
		}
	}
	catch(PDOException $e){
		echo $e->getMessage();
		$db = null;
		exit();
	}
}
?>

Jacques1 · May 14, 2014

Hi,

the code doesn't make much sense and is downright dangerous.

Why on earth do you store the password hash in a cookie? The password must be protected, not thrown around. Your HMAC is far too long for the bcrypt algorithm (which I hope you're using). There's no error checking whatsoever. If crypt() returns an error string, you happily accept that as a valid hash.

I strongly, strongly recommend that you keep away from home-made security and low-level functions like crypt(). This function in particular is a monster. I'm sure you've made plenty of mistakes when generating the original hash.

If you have PHP 5.5, use the new password hashing API. If you don't have PHP 5.5 but at least 5.3.7, use the password_compat library. Do not try to implement this on your own. Your chance of success is very, very low.

Edited May 14, 2014 by Jacques1

R0xxy · May 17, 2014

i understand were your coming from but were covering elements in class i just can't figure out why the user log gin in always receives an error message saying incorrect password when in fact it is correct I've run the queries within my db and i receive results so why is it that they can't login to the system?

<?php
include_once("conninfo2.php");

if(isset($_POST['email']) && trim($_POST['email']) != ""){
    $email = strip_tags($_POST['email']);
    $password = $_POST['password'];
    $hmac = hash_hmac('sha512', $password, file_get_contents('textfiles/key.txt'));
    $stmt1 = $db->prepare("SELECT usersid, username, password FROM login WHERE email=:email AND activated='1' LIMIT 1");
    $stmt1->bindValue(':email',$email,PDO::PARAM_STR);
    try{
        $stmt1->execute();
        $count = $stmt1->rowCount();
        if($count > 0){
            while($row = $stmt1->fetch(PDO::FETCH_ASSOC)){
                $uid = $row['usersid'];
                $username = $row['username'];
                $hash = $row['password'];
            }
            if (crypt($hmac, $hash) === $hash) {
                $db->query("UPDATE login SET lastlog=now() WHERE usersid='$uid' LIMIT 1");
                $_SESSION['uid'] = $uid;
                $_SESSION['username'] = $username;
                $_SESSION['password'] = $hash;
                setcookie("usersid", $uid, strtotime( '+30 days' ), "/", "", "", TRUE);
                setcookie("username", $username, strtotime( '+30 days' ), "/", "", "", TRUE);
                    setcookie("password", $hash, strtotime( '+30 days' ), "/", "", "", TRUE);
                header("location: index.php");
                exit();
                }
                else
                {
                echo 'Invalid password Press back and try again<br />';
                exit();
            }
        }
        else
        {
            echo "A user with that email address does not exist here";
            $db = null;
            exit();
        }
    }
    catch(PDOException $e){
        echo $e->getMessage();
        $db = null;
        exit();
    }
}            
?>

Edited May 17, 2014 by mac_gyver

Jacques1 · May 17, 2014

I just told you that the whole password code is broken.

You have two options now: You can keep messing with the broken code and waste some more days in the hopes to somehow get it working – this may or may not happen. Or you can simply replace all the bad stuff with a single function call which will work.

It's up to you.

Sign In

PHP password encryption not matching info

Recommended Posts

R0xxy

Link to comment

Share on other sites

Jacques1

Link to comment

Share on other sites

R0xxy

Link to comment

Share on other sites

Jacques1

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information