blobby404 Posted November 24, 2014 Share Posted November 24, 2014 Hi, Im creating a simple site in PHP, for the most part its going well, however I struggling with an error that I have encountered. Im generating a random salt upon registering a user. This works fine, However when logging in with this user I am struggling and receive an error. Can somebody please explain where I am going wrong? I have attatched some images to this post which includes coding and the error message. NOTE: signup works fine, it is just the log-in which is broken. I have however included screenshots of both pages for better understanding of how the site works. Signup: http://picpaste.com/pics/SignUp-gZnFffux.1416827271.PNG Log-in: http://picpaste.com/pics/log-in-gB895EyW.1416827394.PNG Error Message: http://picpaste.com/pics/error-pic-JwV9iLp8.1416827510.PNG Kind Regards, Shaun Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted November 24, 2014 Share Posted November 24, 2014 I have attatched some images to this post which includes coding and the error message. It would of been easier to just paste your code (making sure to wrap it in tags) and the error message here. Quote Link to comment Share on other sites More sharing options...
Rifts Posted November 25, 2014 Share Posted November 25, 2014 use this for storing user data http://www.openwall.com/phpass/ here is how to use its very simple http://sunnyis.me/blog/secure-passwords/ Quote Link to comment Share on other sites More sharing options...
Psycho Posted November 25, 2014 Share Posted November 25, 2014 There is nothing in that code that even uses the salt. You need to include the salt when generating the hash. Plus, the hashing algorithm is flawed. It first generates an MD5 hash and then does a SHA hash. Lastly, the login code never even uses the password. It appears to only be looking for a match on the username/email. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted November 25, 2014 Share Posted November 25, 2014 Never ever invent your own security algorithm. You cannot win, especially when you don't happen to be a genius cryptographer. And indeed this is horribly insecure. I'm not sure why you think that chaining two extremely weak algorithms somehow magically creates a strong algorithm. It doesn't. Both MD5 and SHA-256 allow an attacker to try billions(!) of passwords on an average PC. At that rate, a few passwords more or less simply don't matter. The attacker can always buy or rent better hardware. And who knows if this specific kind of chaining creates certain cryptographic weaknesses? Cryptography is an exact science, you can't just randomly throw together algorithms. The salt generator is also very broken. This weird procedure only produces around 58 “random” bits (a common recommendation is 128 bits). Even worse, the bits aren't really random, because the str_shuffle() function was never designed for security purposes. It's based on trivial data like the current server time and the process ID which are easily guessable. Long story short, always use established solutions. The state-of-the-art for password hashing is the bcrypt algorithm. If you have PHP 5.5, you can use it through the new Password Hashing API. If you have at least PHP 5.3.7, you can use the password_compat library which emulates the API. Older PHP versions are defective. use this for storing user data http://www.openwall.com/phpass/ No. This library is hopelessly outdated and seems to have been abandoned by the author. It also comes with a lot of compatibility baggage which can lead to security issues (for example, there's a fallback to an MD5-based algorithm if bcrypt isn't found). See above for an up-to-date solution. 2 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.