3

I've put together a php user login script and while I've managed to get the registration page to work (thus ruling out the contents of my common.php file as a problem) and have checked in mySQL that the database is being populated, I can't seem to get the login itself to post anything other than unsuccessful.

I'm definitely typing a username and password in that are in the database. Can anyone see where I'm going wrong, or advise on how I would go about checking what is wrong?

The table jmp_users has a structure of :

jmp_userID / init(11) / auto_increment
jmp_username / varchar(30) / utf8_unicode_ci
jmp_password / varchar(40) / utf8_unicode_ci
salt / char(16) / utf8_unicode_ci

and my login.php page is :

<?php 

require("common.php"); 

$submitted_username = ''; 

if(!empty($_POST)) 
{ 
    $query = " 
        SELECT 
            jmp_userID, 
            jmp_username, 
            jmp_password, 
            salt 
        FROM jmp_users 
        WHERE 
            jmp_username = :username 
    "; 
    $query_params = array( 
        ':username' => $_POST['jmp_username'] 
    ); 

    try 
    { 
        $stmt = $db->prepare($query); 
        $result = $stmt->execute($query_params); 
    } 
    catch(PDOException $ex) 
    {  
        die("Failed to run query: " . $ex->getMessage()); 
    }  
    $login_ok = false; 
    $row = $stmt->fetch(); 
    if($row) 
    { 
        $check_password = hash('sha256', $_POST['jmp_password'] . $row['salt']); 
        for($round = 0; $round < 65536; $round++) 
        { 
            $check_password = hash('sha256', $check_password . $row['salt']); 
        } 

        if($check_password === $row['jmp_password']) 
        { 
            $login_ok = true; 
        } 
    } 
    if($login_ok) 
    { 
        unset($row['salt']); 
        unset($row['jmp_password']); 
        $_SESSION['user'] = $row; 
        header("Location: private.php"); 
        die("Redirecting to: private.php"); 
    } 
    else 
    { 
        print("Login Failed."); 
        $submitted_username = htmlentities($_POST['jmp_username'], ENT_QUOTES, 'UTF-8'); 
    } 
} 

?> 
<h1>Login</h1> 
<form action="login.php" method="post"> 
    Username:<br /> 
    <input type="text" name="username" value="<?php echo $submitted_username; ?>" /> 
    <br /><br /> 
Password:<br /> 
<input type="password" name="password" value="" /> 
<br /><br /> 
<input type="submit" value="Login" /> 
</form> 
<a href="register.php">Register</a>
Improve this question
7
  • 1
    You have a little bit of twisted logic when you generate the hash(es). Does the register form also runs the same hashing process? BTW, you can use the built-int password_verify functions (php.net/manual/ro/function.password-verify.php). Commented Apr 19, 2015 at 19:12
  • Yeah it does (as far as I can tell). I'm using the code from forums.devshed.com/php-faqs-stickies-167/… but with the email parts removed as they were unnecessary for my uses. Commented Apr 19, 2015 at 19:15
  • 1
    does your script enters the if($row) part???? Commented Apr 19, 2015 at 19:18
  • Well, the tutorial is a little bit old, especially on the part related to password hashing. You should print the two values - the one from db and the one computed by you and if they don't match and you cannot find the problem, I recommend to switch to password_verify, it's much easier to use and probably more reliable. Commented Apr 19, 2015 at 19:21
  • 1
    Are you rehashing the password 60k+ times? Commented Apr 19, 2015 at 19:32

1 Answer 1

Reset to default
4

as you're using SHA256 (with hex values, not raw) you need 64 characters to store the hash of the password (you have only 40).

btw: I think re-hashing the password 65536 times is unnecessary and CPU wasting. Also, usually a single salt string is used for all the passwords.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

The hashing password multiple times and use of multiple salts is much better for security.
yeah the # of re-hashings was bought over from the code i followed on building this. it's now been significantly reduced. the # of available characters for password has now been fixed and the database entry for testing replaced but still no luck. I guess I've been following an out of date tutorial. I'd gladly follow a less out of date one if anyone can point me towards one.
@Michas of course. But 65536 times in unnecessary high. Regarding the salt you may choose to have multiple salts if you're working on The Pentagon website. But here we have a major flaw: the salt is stored along with the hashed password. This is bad because anyone who breaks the db see both salt and hashed password. The salt must stay in some other place, likely the code. Obviously all this discussion makes sense if the client-server connection is over https otherwise there is an even bigger flaw upsteam as the password is sent clear over the network.
If someone got database, he could get code too. If there is only one salt for every password, he will be able to compute hashes for every popular question in no time.
@Michas If someone got database, he could get code too. absolutely not necessarily!!. Database and Application could even be on different machines on different locations. But if someone got database and hashes and salt are both on the database salt is useless. Salt stays in the code; also multiple salt is useless.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.