1

Halo there,

I have a problem of logging in my registered user, I've hashed the passwords and when I log in my form refuse, So I don't really know whats the problem because the user I registered Directly with sql command can actually login below is my login script...

<?php
    include 'db_connect.php';
    include 'functions.php';
    sec_session_start(); // Our custom secure way of starting a php session. 

    if(isset($_POST['email'], $_POST['p'])) { 
        $email = $_POST['email'];
        $password = $_POST['p']; // The hashed password.
        if(login($email, $password, $mysqli) == true) {
            // Login success
            echo 'Success: You have been logged in!';
            echo '<a href="javascript:window.close();">Close window</a>';
        } else {
            // Login failed
            header('Location: ./login.php?error=1');
        }
    } else { 
        // The correct POST variables were not sent to this page.
        echo 'Invalid Request';
    }
?>

And Below is my login function on the Function.php file

function login($email, $password, $mysqli) {

    if ($stmt = $mysqli->prepare(
        "SELECT id, username, password, salt 
         FROM members 
         WHERE email = ? 
         LIMIT 1"
    )) { 
        $stmt->bind_param('s', $email); 
        $stmt->execute(); // Execute the prepared query.
        $stmt->store_result();
        $stmt->bind_result($user_id, $username, $db_password, $salt); 
        $stmt->fetch();
        $password = hash('sha512', $password.$salt); // hash the password with the unique salt.

        if($stmt->num_rows == 1) {
            if(checkbrute($user_id, $mysqli) == true) { 
                return false;
            } else {
                if($db_password == $password) {
                    $ip_address = $_SERVER['REMOTE_ADDR']; 
                    $user_browser = $_SERVER['HTTP_USER_AGENT']; 

                    $user_id = preg_replace("/[^0-9]+/", "", $user_id); // XSS protection as we might print this value
                    $_SESSION['user_id'] = $user_id; 
                    $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); 
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512',  $password.$ip_address.$user_browser);
                    // Login successful.
                    return true;    
                } else {

                    $now = time();
                    $mysqli->query(
                        "INSERT INTO login_attempts (user_id, time) 
                         VALUES ('$user_id', '$now')"
                    );
                    return false;
                }
            }
        } else {
            // No user exists. 
            return false;
        }
    }
}

below is how I Register the user to the DB

<?php
    include 'db_connect.php';
    include 'functions.php';

    $password = $_POST['p']; 
    $username = $_POST['username']; 
    $email = $_POST['email']; 

    $random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));

    $password = hash('sha512', $password.$random_salt);


    if ($insert_stmt = $mysqli->prepare(
        "INSERT INTO members (username,email,password,salt) 
         VALUES (?, ?, ?, ?)"
    )) {    
        $insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt); 
        // Execute the prepared query.
        $insert_stmt->execute();
        echo 'Member Succesfully added to the Website list';
    } else {
        echo 'Error couldnt add the user, Try again';
    }
?>
Spiny Norman
  • 8,277
  • 1
  • 30
  • 55
Lord-David
  • 535
  • 1
  • 11
  • 34
  • 1
    Where is the code for populating the members table? I'm guessing there is a discrepancy in how you are hashing your passwords, especially as you have stated it works for one account you populated directly in the database. – Mitch Satchwell Feb 05 '13 at 10:22
  • @GrantThomas please visit [link](http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL) thats the tutorial I followed when creating the whole thing. – Lord-David Feb 05 '13 at 10:25
  • @GrantThomas for the creation of the hash and Everything please follow [this link](http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL)...Thank you and get back @ me please – Lord-David Feb 05 '13 at 10:34
  • @GrantThomas I just edited the Question on how I register the user with a Random Salt that I create using a JavaScript. – Lord-David Feb 05 '13 at 10:47
  • Are you sure $password = $_POST['p']; // The hashed password. is true? – Neville Kuyt Feb 05 '13 at 12:27
  • @NevilleK by true what do you mean? – Lord-David Feb 05 '13 at 12:41
  • 1
    Is the POST variable the hashed password? Not sure if that's possible - I'd assume it was plain text. – Neville Kuyt Feb 05 '13 at 12:53
  • Your password hashing function is bad in the first place. Use bcrypt with the `password_hash` API: http://stackoverflow.com/questions/12870947/how-to-add-salt-in-user-password/12871607#12871607 – CodesInChaos Feb 05 '13 at 13:27
  • @NevilleK yes the POST Variable is hashed on the LOgin Function look carefully its not plain text. – Lord-David Feb 05 '13 at 13:33
  • I don't get the purpose of your javascript sided hashing. If you're not using TLS, it doesn't make your login secure. If you use TLS, you don't need it. Just send the plaintext password over TLS. Then TLS takes care of encryption, server authentication, prevents malicious html+js being served etc. – CodesInChaos Feb 05 '13 at 13:33
  • @CodesInChaos the purpose of the Javascript is to generate random Salt values for me...Please see [this](http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL) – Lord-David Feb 05 '13 at 13:40
  • @Lord-David The only place a random salt is generated is the user generation php code. The javascript code hashes the password without salt on the client side. This doesn't improve security at all. | Your salt generation algo isn't great, and your hashfunction is unsuitable for password hashing. As I said, use `password_hash` to generate a new password hash on registration, and `password_verify` to check it on login. Don't use silly javascript hashing, and don't use plain SHA-512 as hash. | And use HTTPS. No HTTPS => insecure web app. – CodesInChaos Feb 05 '13 at 13:47
  • @NevilleK you were right when registering the post was going in as plain text, So I hashed it as $password = hash('sha512', $_POST['p']); its now working. Thank you all guys for your Suggestions they helped me open eyes in a way. Thank you guys:) – Lord-David Feb 05 '13 at 14:41

1 Answers1

1

I am guessing you have either randomely changed the password somehow, when you sign up---sha512( $password) and login should be the same in order to match it when quering the data---The $Salt is a bit confusing to?

    Login
    $_POST['password'] = stripslashes($_POST['password']);
    $password = mysql_real_escape_string(sha512($_POST['password']));
    Signup
    $_POST['password'] = stripslashes($_POST['password']);
    $password = mysql_real_escape_string(sha512($_POST['password']));
Robin Dale Deatherage
  • 35
  • 3
  • [This](http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL) might help you understand the whole thing including salt. – Lord-David Feb 05 '13 at 12:39