Michael_Baxter Posted February 26, 2016 Share Posted February 26, 2016 /* process_login.php*/ 2. 3.<?php 4.include_once 'db_connect.php'; 5.include_once 'functions.php'; 6. 7.sec_session_start(); // Our custom secure way of starting a PHP session. 8. 9.if (isset($_POST['email'], $_POST['p'])) { 10. $email = $_POST['email']; 11. $password = $_POST['p']; // The hashed password. 12. 13. if (login($email, $password, $mysqli) == true) { 14. // Login success 15. header('Location: ../protected_page.php'); 16. } else { 17. // Login failed 18. header('Location: ../index.php?error=1'); 19. } 20.} else { 21. // The correct POST variables were not sent to this page. 22. echo 'Invalid Request'; 23.} /*INDEX>PHP*/ 2. 3.<?php 4.error_reporting(E_ALL); 5.ini_set("display_errors",1); 6. 7.include_once 'includes/db_connect.php'; 8.include_once 'includes/functions.php'; 9. 10.sec_session_start(); 11. 12.if (login_check($mysqli) == true) { 13. $logged = 'in'; 14.} else { 15. $logged = 'out'; 16.} 17.?> 18.<!DOCTYPE html> 19.<html> 20. <head> 21. <title>Secure Login: Log In</title> 22. <link rel="stylesheet" href="styles/main.css" /> 23. <script type="text/JavaScript" src="js/sha512.js"></script> 24. <script type="text/JavaScript" src="js/forms.js"></script> 25. </head> 26. <body> 27. <?php 28. if (isset($_GET['error'])) { 29. echo '<p class="error">Error Logging In!</p>'; 30. } 31. ?> 32. <form action="includes/process_login.php" method="post" name="login_form"> 33. Email: <input type="text" name="email" /> 34. Password: <input type="password" 35. name="password" 36. id="password"/> 37. <input type="button" 38. value="Login" 39. onclick="formhash(this.form, this.form.password);" /> 40. </form> 41. 42.<?php 43. if (login_check($mysqli) == true) { 44. echo '<p>Currently logged ' . $logged . ' as ' . htmlentities($_SESSION['username']) . '.</p>'; 45. 46. echo '<p>Do you want to change user? <a href="includes/logout.php">Log out</a>.</p>'; 47. } else { 48. echo '<p>Currently logged ' . $logged . '.</p>'; 49. echo "<p>If you don't have a login, please <a href='register.php'>register</a></p>"; 50. } 51.?> 52. </body> 53.</html> hi I have been building this secure login system but for some reson the submit button on my index page juust is not working once an email and password is entered and you click on submit absolutely nothing happens no form reset no login no errors nothing can anyone see why at all please........ Quote Link to comment Share on other sites More sharing options...
ginerjm Posted February 26, 2016 Share Posted February 26, 2016 Which script is not responding? Turn on php error checking. Do some debugging like add an echo at the top of your problem script to see if it is getting there. Add an echo to output the contents of the POST array as in: echo "<pre>",print_r($_POST,true),"</pre>"; to see what you are receiving. Focus on one script to make sure everything is correct then move to the next so you don't get confused. Quote Link to comment Share on other sites More sharing options...
Michael_Baxter Posted February 26, 2016 Author Share Posted February 26, 2016 I have error reporting on the top of index.php and the process_login.php is only an include file to index.php, as for what data is been sent and echo'ing this data or printing it on a page, No data is been sent at all when you click on the submit button nothing happens at all that's the whole problem that's why I cant fix this myself I don't understand the nothing, feel free to view this page on my domain: mnvb.co.uk/secure_login/ that will go to the index.php page as above Quote Link to comment Share on other sites More sharing options...
ginerjm Posted February 26, 2016 Share Posted February 26, 2016 I don't see any submit button. I see a 'button', but it is not a submit. Now if you are doing some kind of submit in your JS code, that's a whole other situation. 1 - eliminate the blank line at line 2. Could be a problem later on. 2 - Do you get the input form displayed? 3 - Does your browser indicate any errors in your JS code? 4 - Since you have your own session process do you rely on any session vars in the included files prior to turning on your sessions? Quote Link to comment Share on other sites More sharing options...
Barand Posted February 26, 2016 Share Posted February 26, 2016 for some reson the submit button on my index page juust is not working Your form does not have a submit button, just a button, unless your formhash() function submits the form. Quote Link to comment Share on other sites More sharing options...
Destramic Posted February 26, 2016 Share Posted February 26, 2016 (edited) the reason your form isn't working is because of your formhash js function if you open console in your browser you will see it says ReferenceError: hex_sha512 is not defined which point to this line here: p.value = hex_sha512(password.value); once you sort out you js error the form should submit as intended by your js function Edited February 26, 2016 by Destramic Quote Link to comment Share on other sites More sharing options...
benanamen Posted February 26, 2016 Share Posted February 26, 2016 (edited) Whatever your problem, you are missing a closing bracket here in sha512.js: //Same, except with 5 addends function int64add5(dst, a, b, c, d, e) { var w0 = (a.l & 0xffff) + (b.l & 0xffff) + (c.l & 0xffff) + (d.l & 0xffff) + (e.l & 0xffff); var w1 = (a.l >>> 16) + (b.l >>> 16) + (c.l >>> 16) + (d.l >>> 16) + (e.l >>> 16) + (w0 >>> 16); var w2 = (a.h & 0xffff) + (b.h & 0xffff) + (c.h & 0xffff) + (d.h & 0xffff) + (e.h & 0xffff) + (w1 >>> 16); var w3 = (a.h >>> 16) + (b.h >>> 16) + (c.h >>> 16) + (d.h >>> 16) + (e.h >>> 16) + (w2 >>> 16); dst.l = (w0 & 0xffff) | (w1 << 16); dst.h = (w2 & 0xffff) | (w3 << 16); Edited February 26, 2016 by benanamen Quote Link to comment Share on other sites More sharing options...
Destramic Posted February 26, 2016 Share Posted February 26, 2016 although looking further into your script i would leave the encryption of passwords to server side (behind closed doors) your want to be using http://php.net/manual/en/function.password-verify.php and http://php.net/manual/en/function.password-hash.php on your passwords and possibly encrypt the password using aes also before-hand Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted February 26, 2016 Share Posted February 26, 2016 The password does get hashed with password_hash(). The code above is copied and pasted from wikiHow. Personally, I'd get rid of all the JavaScript magic and use a plain old form. I have no idea what the client-side hashing is supposed to do. Maybe it's some kind of poor man's HTTPS, in which case you should replace it with the actual HTTPS protocol. Maybe it's supposed to obfuscate the original password, in which case SHA-512 is far too weak. Either way, it only bloats the code and leads to problems (as you can see). Quote Link to comment Share on other sites More sharing options...
Destramic Posted February 26, 2016 Share Posted February 26, 2016 The password does get hashed with password_hash(). The code above is copied and pasted from wikiHow. good eyes Quote Link to comment Share on other sites More sharing options...
Michael_Baxter Posted February 26, 2016 Author Share Posted February 26, 2016 ok so there was my really bad idea so now you have all given me enough to think about and research to go away a re look at this and start over, design all of it using my own codes and ideas to fit what I need, maybe I will have more success this way Quote Link to comment Share on other sites More sharing options...
Michael_Baxter Posted February 26, 2016 Author Share Posted February 26, 2016 I am curious here as far as I am aware there is no remote access to the MySQL system on my cpanel so how safe is the information in my database's Quote Link to comment Share on other sites More sharing options...
ginerjm Posted February 26, 2016 Share Posted February 26, 2016 As safe as your hosting co. keeps it and as safely as you keep your account password. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted February 27, 2016 Share Posted February 27, 2016 I am curious here as far as I am aware there is no remote access to the MySQL system on my cpanel so how safe is the information in my database's Why do you ask? In reality, a database without professional management is not safe, even if can only be accessed locally. There are simply too many ways to screw up: SQL injection vulnerabilities, configuration errors, inappropriate permissions, weak passwords etc. Of course you have to make your database as safe as possible, but do prepare for the case that an attacker manages to bypass your security nonetheless. That means: Don't store any sensitive data unless you absolutely need it. Make sure all passwords are hashed with a strong algorithm like bcrypt. Also encourage your users to generate purely random passwords with a password manager. Consider using encryption. Quote Link to comment Share on other sites More sharing options...
Michael_Baxter Posted February 27, 2016 Author Share Posted February 27, 2016 for this project that I am working on the most sensitive data types I need to store is the user passwords and their personal profile data, ok I am going to give you a quick run down of this, I am involved in an online gaming community of volunteers, they host tournaments on a gaming site in games like back gammon, cribbage, Euchre, spades and pachisi this site I am making is a place where they can go for information sharing and later to store their files for their macro pushing tools also they post all tournament results and points to a forum I put on, So I want them to go to my home page and log in firstly of course I want all members to register and create a profile with rankings systems to allow me to set moderation abilities I am putting this site together for them but as a learning experience for me so that I can later go on and improve upon this codes and make something bigger and better Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.