#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    2
    Rep Power
    0

    Username and Password does not match


    Hi there

    I have the followin code to register my users. when i try to login, i get an error that the password/username does not match, eventhough i know that i have entered it correctly. Am I doing something wrong?

    PHP Code:
    <?php

     
    class Users {
         public 
    $username null;
         public 
    $firstname null;
         public 
    $lastname null;
         public 
    $firmname null;
         public 
    $email null;
         public 
    $password null;
         public 
    $salt "*salt*";
         
         public function 
    __construct$data = array() ) {
             if( isset( 
    $data['username'] ) ) $this->username stripslashesstrip_tags$data['username'] ) );
             if( isset( 
    $data['firstname'] ) ) $this->firstname stripslashesstrip_tags$data['firstname'] ) );
             if( isset( 
    $data['lastname'] ) ) $this->lastname stripslashesstrip_tags$data['lastname'] ) );
             if( isset( 
    $data['firmname'] ) ) $this->firmname stripslashesstrip_tags$data['firmname'] ) );
             if( isset( 
    $data['email'] ) ) $this->email stripslashesstrip_tags$data['email'] ) );
             if( isset( 
    $data['password'] ) ) $this->password stripslashesstrip_tags$data['password'] ) );
         }
         
         public function 
    storeFormValues$params ) {
            
    //store the parameters
            
    $this->__construct$params ); 
         }
         
         public function 
    userLogin() {
             
    $success false;
             try{
                
    $con = new PDODB_DSNDB_USERNAMEDB_PASSWORD ); 
                
    $con->setAttributePDO::ATTR_ERRMODEPDO::ERRMODE_EXCEPTION );
                
    $sql "SELECT * FROM users WHERE username = :username AND password = :password LIMIT 1";
                
                
    $stmt $con->prepare$sql );
                
    $stmt->bindValue":username"$this->usernamePDO::PARAM_STR );
                
    $stmt->bindValue":password"hash("sha256"$this->password $this->salt), PDO::PARAM_STR );
                
    $stmt->execute();
                
                
    $valid $stmt->fetchColumn();
                
                if( 
    $valid ) {
                    
    $success true;
                }
                
                
    $con null;
                return 
    $success;
             }catch (
    PDOException $e) {
                 echo 
    $e->getMessage();
                 return 
    $success;
             }
         }
         
         public function 
    register() {
            
            
    $correct false;
                try {
                    
    $con = new PDODB_DSNDB_USERNAMEDB_PASSWORD );
                    
    $con->setAttributePDO::ATTR_ERRMODEPDO::ERRMODE_EXCEPTION );
                    
    $sql "INSERT INTO users(username, firstname, lastname, firmname, email, password, date ) VALUES(:username, :firstname, :lastname, :firmname, :email, :password, NOW())";
                    
                    
    $stmt $con->prepare$sql );
                    
    $stmt->bindValue":username"$this->usernamePDO::PARAM_STR );
                    
    $stmt->bindValue":firstname"$this->firstnamePDO::PARAM_STR );
                    
    $stmt->bindValue":lastname"$this->lastnamePDO::PARAM_STR );
                    
    $stmt->bindValue":firmname"$this->firmnamePDO::PARAM_STR );
                    
    $stmt->bindValue":email"$this->emailPDO::PARAM_STR );
                    
    $stmt->bindValue":password"hash("sha256"$this->password $this->salt), PDO::PARAM_STR );
                    
    $stmt->execute();
                    return 
    "Registration Successful <br/> <a href='index.php'>Login Now</a>";
                }catch( 
    PDOException $e ) {
                    return 
    $e->getMessage();
                }
         }
         
     }
     
    ?>
    Last edited by requinix; April 23rd, 2013 at 12:37 PM. Reason: removing salt
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,996
    Rep Power
    375
    doesnt look like it but how are you inserting the username into the database?

    can you echo out hash("sha256", $this->password . $this->salt) and see if it matches what is in your database? (if password is hashed as a string rather than a blob)
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    2
    Rep Power
    0
    i tried that. Same result.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    the class design is weird. Misusing the constructor to set all data you'll ever need is a bad idea. It's confusing, error-prone and just bad style. The methods should take their input through their parameters -- just like functions.

    Opening a new database connection for every single method call is also extremely inefficient and creates a lot of duplicate code. There should be one database connection. I'd open it at the top level of the script and pass it to the constructor.

    When you use a constant salt, you've really misunderstood its purpose. A salt must be unique for every user to prevent brute force attacks on all passwords at once. You may use a constant salt as an additional secret, but using only a constant salt isn't secure at all.

    You know what? I'd rewrite the class. Fix the issues mentioned above and use the password_compat library for creating secure hashes. It doesn't really make sense to spend time on fixing this particular issue when actually the whole architecture is broken.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2004
    Posts
    2,996
    Rep Power
    375
    also change the access i.e. salt can be private instead of public.

    I have gone through your class and cant see any reason why it wouldnt work :s but i would listen to Jacques..

IMN logo majestic logo threadwatch logo seochat tools logo