Problem with my secure login system.

[DrewBurston]

Im having a problem with login system. its telling me my username and password are wrong when i know they are not.

here is my

login.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
  <head>
    <meta charset="UTF-8">
    <title>Server 2 Server | Log in</title>
    <meta content='width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no' name='viewport'>
    <!-- Bootstrap 3.3.4 -->
    <link href="bootstrap/css/bootstrap.min.css" rel="stylesheet" type="text/css" />
    <!-- Font Awesome Icons -->
    <link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet" type="text/css" />
    <!-- Theme style -->
    <link href="dist/css/AdminLTE.min.css" rel="stylesheet" type="text/css" />
    <!-- iCheck -->
    <link href="plugins/iCheck/square/blue.css" rel="stylesheet" type="text/css" />

    <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
    <!--[if lt IE 9]>
        <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
        <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
  </head>
  <body class="login-page">
    <div class="login-box">
      <div class="login-logo">
        <a href="../../index2.html"><b>Server</b>2SERVER</a>
      </div><!-- /.login-logo -->
      <div class="login-box-body">
        <p class="login-box-msg">Sign in to view the control panel</p>

		<?php
		if(!empty($_GET['msg']))
		{
			$msg = $_GET['msg'];  //GET the message
			if($msg!=''):
			echo '<p>'.$msg.'</p>';
			endif;
		}
		?>
		
		<form action="check_login.php" method="post">
          <div class="form-group has-feedback">
            <input type="text" class="form-control" placeholder="Email" name="username" id="username"/>
            <span class="glyphicon glyphicon-envelope form-control-feedback"></span>
          </div>
          <div class="form-group has-feedback">
            <input type="password" class="form-control" placeholder="Password" name="password" id="password"/>
            <span class="glyphicon glyphicon-lock form-control-feedback"></span>
          </div>
          <div class="row">
            <div class="col-xs-8">                           
            </div><!-- /.col -->
            <div class="col-xs-4">
              <button type="submit" class="btn btn-primary btn-block btn-flat">Sign In</button>
            </div><!-- /.col -->
          </div>
        </form>
		
        <a href="#">I forgot my password</a><br>

      </div><!-- /.login-box-body -->
    </div><!-- /.login-box -->

    <!-- jQuery 2.1.4 -->
    <script src="../../plugins/jQuery/jQuery-2.1.4.min.js"></script>
    <!-- Bootstrap 3.3.2 JS -->
    <script src="../../bootstrap/js/bootstrap.min.js" type="text/javascript"></script>
    <!-- iCheck -->
    <script src="../../plugins/iCheck/icheck.min.js" type="text/javascript"></script>
    <script>
      $(function () {
        $('input').iCheck({
          checkboxClass: 'icheckbox_square-blue',
          radioClass: 'iradio_square-blue',
          increaseArea: '20%' // optional
        });
      });
    </script>
  </body>
</html>

check_login.php

<?php
define(DOC_ROOT,dirname(__FILE__)); // To properly get the config.php file
$username = $_POST['username']; //Set UserName
$password = $_POST['password']; //Set Password
$msg ='';
if(isset($username, $password)) {
    ob_start();
    include(DOC_ROOT.'/config.php'); //Initiate the MySQL connection
    // To protect MySQL injection (more detail about MySQL injection)
    $myusername = stripslashes($username);
    $mypassword = stripslashes($password);
    $myusername = mysqli_real_escape_string($dbC, $myusername);
    $mypassword = mysqli_real_escape_string($dbC, $mypassword);
    $sql="SELECT * FROM login_admin WHERE user_name='$myusername' and user_pass=SHA('$mypassword')";
    $result=mysqli_query($dbC, $sql);
    // Mysql_num_row is counting table row
    $count=mysqli_num_rows($result);
    // If result matched $myusername and $mypassword, table row must be 1 row
    if($count==1){
        // Register $myusername, $mypassword and redirect to file "dashboard.php"
        session_register("admin");
        session_register("password");
        $_SESSION['name']= $myusername;
        header("location:dashboard.php");
    }
    else {
        $msg = "Wrong Username or Password. Please retry";
        header("location:login.php?msg=$msg");
    }
    ob_end_flush();
}
else {
    header("location:login.php?msg=Please enter a username and password");
}
?>

it just keeys telling my my password and user and incorrect please help

Edited July 8, 2015 by DrewBurston

[scootstah]

$count=mysqli_num_rows($result);

What is the value of $count?

 

Are you getting a query error? Check with:

$result=mysqli_query($dbC, $sql) or die(mysqli_error($dbC));

Also, you're not storing your passwords securely. You should be using a secure hashing algorithm with salts. PHP has a new function for it on version 5.5. If you don't have PHP5.5, there is a backwards compatible library that is good as well. Edited July 8, 2015 by scootstah

[DrewBurston]

$count=mysqli_num_rows($result);

What is the value of $count?

 

Are you getting a query error? Check with:

$result=mysqli_query($dbC, $sql) or die(mysqli_error($dbC));

Also, you're not storing your passwords securely. You should be using a secure hashing algorithm with salts. PHP has a new function for it on version 5.5. If you don't have PHP5.5, there is a backwards compatible library that is good as well.

 

 

// Mysql_num_row is counting table row

$count=mysqli_num_rows($result);

 

that's where I get the value for $count

 

I store passwords with SHA() encryption.

[scootstah]

Yes I know, but what is its actual value? Are you getting rows returned? How many rows?

 

SHA1 is not encryption, it's a very weak hashing algorithm meant to be used for checksums and such, not for storing passwords.

[cyberRobot]

I store passwords with SHA() encryption.

 

For what it's worth, the following page talks about the SHA functions not being suitable for passwords:

http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash

[cyberRobot]

Are you getting a query error? Check with:

$result=mysqli_query($dbC, $sql) or die(mysqli_error($dbC));

 

Did you try running the error code suggested above? I have a feeling that the query is failing because the hashed password isn't surround by single quotes. Also, I'm fairly certain you can't run a PHP function inside a string.

 

Try changing this

$sql="SELECT * FROM login_admin WHERE user_name='$myusername' and user_pass=SHA('$mypassword')";

To this

$sql="SELECT * FROM login_admin WHERE user_name='$myusername' and user_pass='" . SHA($mypassword) . "'";

[scootstah]

That's MySQL's SHA() function.

[cyberRobot]

That's MySQL's SHA() function.

 

Ah...that would explain why it wan't in the PHP manual.

[JenniferLawrence]

Well, the first mistake I look for in people's code is if they use isset($_POST['']); to check for form submission. I don't get why people think this is actually secure. If you don't actually have that specific HTML element in your code base, your "isset($_POST['']);" will fail despite how secure your actual code base is. If someone is smart enough, they can actually test to see how horribly put together your code is by just entering random junk data using your website. It's kind of like a beta tester for games, they test to see what works and what doesn't, what breaks and what doesn't. If you don't have volunteer debuggers or have any knowledge in the PHP programming, it is recommended that you should search what is the best practice before actually copy&paste codes off the internet and seenig if they work or not.

 

I know that I may sound pretty rude, but I see this stuff so much times, I feel like all these new PHP users aren't actually looking at the codes they copy&paste.

 

The second thing I see a lot in people's PHP codes is stripping or escaping the user's password. I can't........ I just can't.......

If you modify someone's password, you limit the possiblity of how secure it actually is. If I came across a website that didn't let me choose special characters as my passwords, I would probably delete my account on there and write a review on how bad their code base is.

 

Let's say your user inputs

Php/freak+sistheb,est!@#$^*~(~`\

Your whole "escape_string($_POST['password'])" fails entirly. It will turn a secure as booty password such as the above to something like this.

Phpfreaksisthebest

How secure is this? If you haven't heard of the rainbow table, you should really look into it. It will make you want to change your way of importing and exporting data. You should also look into brute force. Save upi some time on how secure someone's password really is. Someone once said to me.

 

 

SQL Injection doesn't come from user inputs. It comes from bad code.

 

And I wonder why SQL Injections exists.

Edited July 9, 2015 by JenniferLawrence

[DrewBurston]

To be honest I don't think it sounds rude. When it comes to security, sometimes you need to be blunt and to the point.

 

Thanks for the response, ill look into different encryptions' and ill prob go with md5 as I've used it in the past. This is for an admin panel of a website I'm building from scratch. I've used php for years but never actually built from ground up.

 

So your post has been very helpful to me. I will completely rebuild the login check page upon recommendation.

 

Any tips on where to start would be greatly appreciated.

[Ch0cu3r]

No, dont use md5 either that is just as bad as using SHA1

 

It is recommended to use a what scootstah suggested earlier, in reply #2

 

Also when using sessions, do not use the session_register functions, they are deprecated. When adding values to the session just define a new $_SESSION variable (making sure you have called session_start before hand).

[DrewBurston]

Not sure why that posted twice. Stupid phone lol.

 

Ok brill will check it out when I get home. Thanks for the help guys no doubt you'll here from me soon hah

[boompa]

Something else for you to read. Or, you could use the Sentinel library, or perhaps Aura.Auth.

 

The point is, really, not to try to re-invent the wheel...especially in such a critical component.

[scootstah]

Well, the first mistake I look for in people's code is if they use isset($_POST['']); to check for form submission. I don't get why people think this is actually secure.

There's nothing wrong with this approach for checking for a form submission. Why do you think it is not secure?

[mac_gyver]

similarly -
 

Your whole "escape_string($_POST['password'])" fails entirly. It will turn a secure as booty password such as the above to something like this.

no it won't. applying an escape string function to the password doesn't strip out any characters and therefore doesn't affect the security of the value in any way.

 

in the OP's code it would be necessary to escape the password value, since the hashing location (which is also not recommend, in addition to hash method) is in the sql query statement.

[scootstah]

since the hashing location (which is also not recommend, in addition to hash method) is in the sql query statement.

For those interested, using the hash algorithm in the query like that means that your server is going to be storing plaintext passwords in log files. Not good.

 

Also, after looking at OP's code again,

 

Let's say your user inputs

Php/freak+sistheb,est!@#$^*~(~`\

Your whole "escape_string($_POST['password'])" fails entirly. It will turn a secure as booty password such as the above to something like this.

Phpfreaksisthebest

 

wat

 

That function escapes unsafe characters, it doesn't remove them outright. Given your example input, this would be the output:

Php/freak+sistheb,est!@#$^*~(~`\\

As far as entropy goes, it's exactly the same.

 

If you're going to go off in a condescending way, at least know what you're talking about.

 

EDIT: Formatting. Post went wonky.

Edited July 9, 2015 by scootstah

[QuickOldCar]

I agree using password_hash and password_verify is the best way.

 

Only trim the password and use mysqli_real_escape_string, don't use stripslashes or any other methods to modify the password.

 

Even better would be to use PDO and prepared statements.