#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    1
    Rep Power
    0

    Login Tutorial Help


    I am learning
    With the login tutorial and trying to improve our current login process

    We already have a list of clients and their email addresses.
    When they register, the add their email address, clientno and a password. (check is there in case they are already registered ie !empty($row{'salt']))
    There after they just login with the email and the password

    (Yes newbie, but i will be removing the $ex->getMessage() once finished)

    So two questions
    1) Why is the password for the register not able to be matched when login is done.
    2) Do you see an issue with the process steps.

    Register
    Code:
    <?php 
        require("variables/common.php"); 
    
        if(!empty($_POST)) { 
            if(empty($_POST['password'])) { 
                die("Please enter a password."); 
            } 
             
            if(empty($_POST['clientno'])) { 
                die("Please enter your Client No."); 
            }
    
            if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) { 
                die("Invalid E-Mail Address"); 
            } 
             
            $query = " 
                SELECT * FROM WebClientList 
                WHERE   EmailAddress = :email AND clientno =:clientno
            "; 
             
            $query_params = array( 
                ':email' => $_POST['email'],
                ':clientno' => $_POST['clientno'] 
            ); 
    
            try { 
                $stmt = $db->prepare($query); 
                $result = $stmt->execute($query_params); 
            } 
    
            catch(PDOException $ex) { 
                die("Failed to run query: " . $ex->getMessage()); 
            } 
             
            $row = $stmt->fetch(); 
    
            if(empty($row)) { 
                die("This clientno and email don't match to the system"); 
            } 
        
            if (!empty($row['salt'])) { 
                header("Location: login.php"); 
                die("This client has already registered"); 
            }
                 
            $query = " 
                UPDATE WebClientList SET salt= :salt, WebPassword = :password 
                WHERE EmailAddress = :email
            ";             
                
            $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 
            $password = hash('sha256', $_POST['password'] . $salt); 
            for($round = 0; $round < 65536; $round++)         { 
                $password = hash('sha256', $password . $salt); 
            } 
             
            $query_params = array(
            ':password' => $password, 
            ':salt' => $salt, 
            ':email' => $_POST['email'] 
            ); 
    
            try { 
                $stmt = $db->prepare($query); 
                $result = $stmt->execute($query_params); 
            } 
    
            catch(PDOException $ex) { 
                die("Failed to run query: " . $ex->getMessage()); 
            } 
            
            //header("Location: login.php"); 
            //die("Redirecting to login.php"); 
        } 
    ?>
    Log in
    Code:
    <?php 
        require("variables/common.php"); 
        $submitted_email = ''; 
    
        if(!empty($_POST)){ 
            $query = " 
                SELECT * FROM WebClientList 
                WHERE EmailAddress = :email 
            "; 
    
            $query_params = array(
            ':email' => $_POST['email']
            ); 
             
            try{ 
                $stmt = $db->prepare($query); 
                $result = $stmt->execute($query_params); 
            } 
    
            catch(PDOException $ex){ 
                die("Failed to run query: " . $ex->getMessage()); 
            } 
             
            $login_ok = false; 
            $row = $stmt->fetch(); 
                 
            if($row){ 
                $check_password = hash('sha256', $_POST['password'] . $row['salt']); 
                for($round = 0; $round < 65536; $round++){ 
                    $check_password = hash('sha256', $check_password . $row['salt']); 
                } 
    
                if($check_password === $row['WebPassword']){ 
                    $login_ok = true; 
                } 
            } 
             
            if($login_ok){ 
                unset($row['salt']); 
                unset($row['WebPassword']); 
                $_SESSION['user'] = $row; 
    
                //Redirect the user to the private members-only page. 
                header("Location: MyDetails.php"); 
                die("Redirecting to: MyDetails.php"); 
            } 
            else { 
                print("<br> Login Failed."); 
                $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
            } 
        } 
    ?>
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1015
    Guys, please, please stop inventing your own hash algorithms.

    If you wanna know what's wrong with non-cryptographers dabbling in cryptography, read up the story of Cryptocat. Or just watch the poor lead-programmer explain how he completely messed up the cryptography of his chat software, simply because he didn't know what he did. Unfortunately, the press had already marketed his software as "a secure chat system for dissidents"...

    Don't write the next Cryptocat. Use proven algorithms from people who actually know what they're doing. In the case of hash algorithms, the standard solution is bcrypt:

    1. If you have PHP 5.5, use the new new password hashing API.
    2. If you have at least PHP 5.3.7, use the password_compat library. It emulates the new hashing API for old PHP versions.
    3. If you don't even have PHP 5.3, you need to update your stuff now.

    Fix this. Then fix all the try-catch stuff (this doesn't even make sense for debugging).

    And maybe the original problem is already gone at that point.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo