Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact us. |
|
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed. |
|
Thread Tools |
07-02-2022, 02:09 PM | #1 | ||
Confirmed User
Industry Role:
Join Date: Oct 2018
Location: New Orleans, Louisiana.
Posts: 773
|
User authentification / login issue (password hash)
I have no issues with inserting the data into the database, the signup form is working perfectly however, when trying to login the page keeps telling me that the user/pass is incorrect and I can't figure out why.
Im creating a session, pulling the fields from the database correctly and having looking in the SQL row, the passwords are being stored correctly. Could someone point me in the right direction with the code below as to why this isnt working? Quote:
*Quick Edit* I'm using this on the submission form for the password, if it matters. Quote:
|
||
07-02-2022, 03:12 PM | #2 |
Confirmed User
Industry Role:
Join Date: Sep 2013
Location: The Netherlands
Posts: 805
|
You want to grab the clean user input (aka the password the user typed in), then compare that to the hash (in the database), I assume?
But here you are comparing the user input to $password (which is the hash/SQL entry, I guess?). Shouldn't it be more like this this, in that case: if (password_hash($_POST['password'], PASSWORD_BCRYPT) === $password) { .... }
__________________
Contact: email |
07-02-2022, 03:47 PM | #3 |
Confirmed User
Industry Role:
Join Date: Sep 2013
Location: The Netherlands
Posts: 805
|
Or... do you take the user input (password) from the form, then hash it using Bcrypt, before submitting the form?
It's a bit of a weird logic. Usually you take the raw input on submit, then after submit you'd hash it and compare those two hashes. I think the problem now might be this: If the password is 'dildo', the Bcrypt hash is '$2a$10$F0eXLChOzrgQXlIL0hFdxOVQ9Y6it3dXIRGueIB54t cHqPvUUeUMO' When you take that hash as input using $_POST, isn't php replacing the $2a, $10 parts etc with nothing, because these variables don't exists?
__________________
Contact: email |
07-02-2022, 04:00 PM | #4 |
I'll make you famous
Industry Role:
Join Date: Oct 2002
Posts: 13,947
|
|
07-02-2022, 07:49 PM | #5 | ||
Confirmed User
Industry Role:
Join Date: Oct 2018
Location: New Orleans, Louisiana.
Posts: 773
|
Quote:
Here is the submit.php file that sends data to SQL... Quote:
|
||
07-02-2022, 08:56 PM | #6 | |
I'll make you famous
Industry Role:
Join Date: Oct 2002
Posts: 13,947
|
Quote:
That is not where your problem is. zijlstravideo pointed it out. In the code in your first post you have this line: if ($_POST['password'] === $password) You are comparing the unencrypted password that the user entered with the encrypted password from the database. They will never match. You need to encrypt the password entered to do the comparison. So the code he put up there should replace the if you are using: if (password_hash($_POST['password'], PASSWORD_BCRYPT) === $password) . |
|
07-03-2022, 02:08 AM | #7 | ||
Confirmed User
Industry Role:
Join Date: Oct 2018
Location: New Orleans, Louisiana.
Posts: 773
|
Quote:
Quote:
|
||
07-03-2022, 06:55 AM | #8 |
I'll make you famous
Industry Role:
Join Date: Oct 2002
Posts: 13,947
|
Have you printed out what are in the 2 variables to see what you are comparing?
Also, you are printing out the same error msg in 2 places. Change 1 of them so you know exactly which error you are hitting. . |
07-03-2022, 07:30 AM | #9 | |
Confirmed User
Industry Role:
Join Date: Sep 2013
Location: The Netherlands
Posts: 805
|
Quote:
Echo both your $_POST variable and $password, and see why they don't match. EDIT: On your signup form, you use $password = mysqli_real_escape_string($link, $_REQUEST['password']), before you hash it and store it into your database. Therefore, any added slashes before escaped characters become part of the hash as well. Perhaps try: if(password_hash(mysqli_real_escape_string($_POST['password']), PASSWORD_BCRYPT) === $password)
__________________
Contact: email |
|
07-03-2022, 08:59 AM | #10 |
Confirmed User
Industry Role:
Join Date: Aug 2006
Location: Poland
Posts: 9,217
|
His issue is very simple - he's using BCRYPT, which generates a different hash for the same string each time it's run. You can literally run it on the same password 100 times and get 100 different hashes. As such, you can't compare strings like you could with a normal salted MD5 or something.
You have to use this: https://www.php.net/manual/en/functi...ord-verify.php Code:
if(password_verify($_POST['password'], $password)) {
__________________
Mechanical Bunny Media Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development |
07-03-2022, 10:17 AM | #11 | |
Confirmed User
Industry Role:
Join Date: Sep 2013
Location: The Netherlands
Posts: 805
|
Quote:
__________________
Contact: email |
|
07-03-2022, 11:45 AM | #12 |
Confirmed User
Industry Role:
Join Date: Oct 2018
Location: New Orleans, Louisiana.
Posts: 773
|
Good point, says inccorect username.
|
07-03-2022, 11:46 AM | #13 | |
Confirmed User
Industry Role:
Join Date: Oct 2018
Location: New Orleans, Louisiana.
Posts: 773
|
Quote:
|
|
07-03-2022, 11:46 AM | #14 | |
Confirmed User
Industry Role:
Join Date: Oct 2018
Location: New Orleans, Louisiana.
Posts: 773
|
Quote:
|
|
07-03-2022, 11:48 AM | #15 |
Confirmed User
Industry Role:
Join Date: Oct 2018
Location: New Orleans, Louisiana.
Posts: 773
|
Would it be best to change the encryption method at this point to something else or do you think I'll still run into the issue because of an existing coding issue?
|
07-03-2022, 12:51 PM | #16 | |
Confirmed User
Industry Role:
Join Date: Aug 2006
Location: Poland
Posts: 9,217
|
Quote:
columns username, password, and salt salt you insert a random string when inserting the user so each one has a unique salt. $salt = md5(uniqid()); $password = md5($_POST['password'].$salt); and then you just go $result = mysqli_query($dblink, "SELECT * FROM users WHERE username = '".$_POST['username']."' AND password = MD5(CONCAT('".$_POST['password']."',salt))"); (naturally, youd' protect against sql injection but just writing like that to illustrate what goes where). If there's a result, the user is valid. If it's empty, it's wrong login details.
__________________
Mechanical Bunny Media Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development |
|
07-03-2022, 12:57 PM | #17 | |
Confirmed User
Industry Role:
Join Date: Sep 2013
Location: The Netherlands
Posts: 805
|
Quote:
replace: if ($_POST['password'] === $password) with: if(password_verify(mysqli_real_escape_string($_POS T['password']), $password)) You've added slashes on your signup form, see this part of your code: $password = mysqli_real_escape_string($link, $_REQUEST['password']); // Securing password using password_hash $secure_pass = password_hash($password, PASSWORD_BCRYPT); So you need to add those again during login... Edit: k0nr4d already replied and yeah, md5 + salt would be easier.
__________________
Contact: email |
|
07-03-2022, 01:26 PM | #18 | ||
Confirmed User
Industry Role:
Join Date: Oct 2018
Location: New Orleans, Louisiana.
Posts: 773
|
Quote:
Quote:
|
||
07-03-2022, 01:29 PM | #19 |
Confirmed User
Industry Role:
Join Date: Oct 2018
Location: New Orleans, Louisiana.
Posts: 773
|
Oh and one other question, for the salt column, do I set that at varchar(255) or does it need to be longer/shorter?
Its currently vachar(255). |
07-03-2022, 01:54 PM | #20 | |
Confirmed User
Industry Role:
Join Date: Sep 2013
Location: The Netherlands
Posts: 805
|
Quote:
https://www.php.net/manual/en/function.uniqid "With an empty prefix, the returned string will be 13 characters long. If more_entropy is true, it will be 23 characters." https://www.php.net/manual/en/function.md5.php "Returns the hash as a 32-character hexadecimal number."
__________________
Contact: email |
|