StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POLog In and Registration Form Password
text
Body
copied!<p>I am making a log in and registration form. Since I am dealing with passwords, I want to do it right so excuse the long lines of code. I have manage to do the registration form that will hash the password. But My problem is when logging in the password is not reading it and I am using only one mock account and one password. Do you think its the hashing? Please help</p> <p>PHP Code(I have made a functions.php file that has the functions needed to do this log in it contains)</p> <p>login function</p> <pre><code>function login($email, $password, $mysqli) { // Using prepared Statements means that SQL injection is not possible. if ($stmt = $mysqli->prepare("SELECT accountID, UserName, Password, salt FROM accounts WHERE email = ? LIMIT 1")) { $stmt->bind_param('s', $email); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); $stmt->bind_result($user_id, $username, $db_password, $salt); // get variables from result. $stmt->fetch(); $password = hash('sha512', $password.$salt); // hash the password with the unique salt. if($stmt->num_rows == 1) { // If the user exists // We check if the account is locked from too many login attempts if(checkbrute($user_id, $mysqli) == true) { // Account is locked // Send an email to user saying their account is locked return false; } else { if($db_password == $password) { // Check if the password in the database matches the password the user submitted. // Password is correct! $user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user. $user_id = preg_replace("/[^0-9]+/", "", $user_id); // XSS protection as we might print this value $_SESSION['user_id'] = $user_id; $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); // XSS protection as we might print this value $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password.$user_browser); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database $now = time(); $mysqli->query("INSERT INTO login_attempts (user_id, time) VALUES ('$user_id', '$now')"); return false; } } } else { // No user exists. return false; } } } </code></pre> <p>I have a checkbrute function that deals with forced logins</p> <pre><code>function checkbrute($user_id, $mysqli) { // Get timestamp of current time $now = time(); // All login attempts are counted from the past 2 hours. $valid_attempts = $now - (2 * 60 * 60); if ($stmt = $mysqli->prepare("SELECT time FROM login_attempts WHERE user_id = ? AND time > '$valid_attempts'")) { $stmt->bind_param('i', $user_id); // Execute the prepared query. $stmt->execute(); $stmt->store_result(); // If there has been more than 5 failed logins if($stmt->num_rows > 5) { return true; } else { return false; } } } </code></pre> <p>Finaly I have a login_check to check if all session variables are set</p> <pre><code>function login_check($mysqli) { // Check if all session variables are set if(isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string'])) { $user_id = $_SESSION['user_id']; $login_string = $_SESSION['login_string']; $username = $_SESSION['username']; $user_browser = $_SERVER['HTTP_USER_AGENT']; // Get the user-agent string of the user. if ($stmt = $mysqli->prepare("SELECT Password FROM accounts WHERE accountID = ? LIMIT 1")) { $stmt->bind_param('i', $user_id); // Bind "$user_id" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); if($stmt->num_rows == 1) { // If the user exists $stmt->bind_result($password); // get variables from result. $stmt->fetch(); $login_check = hash('sha512', $password.$user_browser); if($login_check == $login_string) { // Logged In!!!! return true; } else { // Not logged in return false; } } else { // Not logged in return false; } } else { // Not logged in return false; } } else { // Not logged in return false; } } </code></pre> <p>I am running the login form via separate html file </p> <pre><code><body> <form action="process_login.php" method="post" name="login_form"> Email: <input type="text" name="email" value=""/> Password: <input type="password" name="password" id="password" value="" /> <input type="button" value="Login" onclick="formhash(this.form, this.form.password);" /> </form> </body> </html> </code></pre> <p>and the Process_login.php</p> <pre><code>include 'db_connect.php'; include 'functions.php'; sec_session_start(); // Our custom secure way of starting a php session. if(isset($_POST['email'], $_POST['password'])) { $email = $_POST['email']; $password = $_POST['password']; // The hashed password. if(login($email, $password, $mysqli) == true) { // Login success echo 'Success: You have been logged in!'; } else { // Login failed echo 'Fail'; } } else { // The correct POST variables were not sent to this page. echo 'Invalid Request'; } </code></pre> <p>Thanks</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload