R0xxy Posted May 14, 2014 Share Posted May 14, 2014 hi im testing out my site and basically when users register their passwords and encrypted for security obs however when i go to test the login with the exact same password as the one used to register the system detects it as invalid when its not, I've literally copy pasted the password so that i was sure it was the same therefore the issue is within the encryption does anyone have an idea how to overcome this I've tested changed names of variables but nothing seems to help I've even got an error reporting function but no error is detected <?php error_reporting(E_ALL); include_once("conninfo2.php"); if(isset($_POST['username']) && trim($_POST['username']) != ""){ $username = strip_tags($_POST['username']); $password = $_POST['password']; $hmac = hash_hmac('sha512', $password, file_get_contents('textfiles/key.txt')); $stmt1 = $db->prepare("SELECT usersid, password FROM login WHERE username=:username AND activated='1' LIMIT 1"); $stmt1->bindValue(':username',$username,PDO::PARAM_STR); try{ $stmt1->execute(); $count = $stmt1->rowCount(); if($count > 0){ while($row = $stmt1->fetch(PDO::FETCH_ASSOC)){ $uid = $row['usersid']; $hash = $row['password']; } if (crypt($hmac, $hash) === $hash) { $db->query("UPDATE login SET lastlog=now() WHERE usersid='$uid' LIMIT 1"); $_SESSION['uid'] = $uid; $_SESSION['username'] = $username; $_SESSION['password'] = $hash; setcookie("usersid", $uid, strtotime( '+30 days' ), "/", "", "", TRUE); setcookie("username", $username, strtotime( '+30 days' ), "/", "", "", TRUE); setcookie("password", $hash, strtotime( '+30 days' ), "/", "", "", TRUE); echo 'Valid password<br />'.$_SESSION['uid'].'<br />'.$_SESSION['username'].'<br />'.$_SESSION['password'].' <br />'.$_COOKIE['usersid']; /*header("location: index.php");*/ exit(); } else { echo 'Invalid password Press back and try again<br />'; exit(); } } else{ echo "A user with that email address does not exist here"; $db = null; exit(); } } catch(PDOException $e){ echo $e->getMessage(); $db = null; exit(); } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/288488-php-password-encryption-not-matching-info/ Share on other sites More sharing options...
Solution Jacques1 Posted May 14, 2014 Solution Share Posted May 14, 2014 (edited) Hi, the code doesn't make much sense and is downright dangerous. Why on earth do you store the password hash in a cookie? The password must be protected, not thrown around. Your HMAC is far too long for the bcrypt algorithm (which I hope you're using). There's no error checking whatsoever. If crypt() returns an error string, you happily accept that as a valid hash. I strongly, strongly recommend that you keep away from home-made security and low-level functions like crypt(). This function in particular is a monster. I'm sure you've made plenty of mistakes when generating the original hash. If you have PHP 5.5, use the new password hashing API. If you don't have PHP 5.5 but at least 5.3.7, use the password_compat library. Do not try to implement this on your own. Your chance of success is very, very low. Edited May 14, 2014 by Jacques1 Quote Link to comment https://forums.phpfreaks.com/topic/288488-php-password-encryption-not-matching-info/#findComment-1479476 Share on other sites More sharing options...
R0xxy Posted May 17, 2014 Author Share Posted May 17, 2014 (edited) i understand were your coming from but were covering elements in class i just can't figure out why the user log gin in always receives an error message saying incorrect password when in fact it is correct I've run the queries within my db and i receive results so why is it that they can't login to the system? <?php include_once("conninfo2.php"); if(isset($_POST['email']) && trim($_POST['email']) != ""){ $email = strip_tags($_POST['email']); $password = $_POST['password']; $hmac = hash_hmac('sha512', $password, file_get_contents('textfiles/key.txt')); $stmt1 = $db->prepare("SELECT usersid, username, password FROM login WHERE email=:email AND activated='1' LIMIT 1"); $stmt1->bindValue(':email',$email,PDO::PARAM_STR); try{ $stmt1->execute(); $count = $stmt1->rowCount(); if($count > 0){ while($row = $stmt1->fetch(PDO::FETCH_ASSOC)){ $uid = $row['usersid']; $username = $row['username']; $hash = $row['password']; } if (crypt($hmac, $hash) === $hash) { $db->query("UPDATE login SET lastlog=now() WHERE usersid='$uid' LIMIT 1"); $_SESSION['uid'] = $uid; $_SESSION['username'] = $username; $_SESSION['password'] = $hash; setcookie("usersid", $uid, strtotime( '+30 days' ), "/", "", "", TRUE); setcookie("username", $username, strtotime( '+30 days' ), "/", "", "", TRUE); setcookie("password", $hash, strtotime( '+30 days' ), "/", "", "", TRUE); header("location: index.php"); exit(); } else { echo 'Invalid password Press back and try again<br />'; exit(); } } else { echo "A user with that email address does not exist here"; $db = null; exit(); } } catch(PDOException $e){ echo $e->getMessage(); $db = null; exit(); } } ?> Edited May 17, 2014 by mac_gyver Quote Link to comment https://forums.phpfreaks.com/topic/288488-php-password-encryption-not-matching-info/#findComment-1479838 Share on other sites More sharing options...
Jacques1 Posted May 17, 2014 Share Posted May 17, 2014 I just told you that the whole password code is broken. You have two options now: You can keep messing with the broken code and waste some more days in the hopes to somehow get it working – this may or may not happen. Or you can simply replace all the bad stuff with a single function call which will work. It's up to you. Quote Link to comment https://forums.phpfreaks.com/topic/288488-php-password-encryption-not-matching-info/#findComment-1479846 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.