i'm creating a simple login system, i has the passwords using sha256 and store a salt using a random number in the database. However when i try to log in, when it goes to compare the hashes it fails. Can anyone see why?
<?php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
$mysql_db_hostname = "localhost";
$mysql_db_user = "root";
$mysql_db_database = "login";
$con = mysql_connect($mysql_db_hostname, $mysql_db_user) or die("Could not connect database");
mysql_select_db($mysql_db_database, $con) or die("Could not select database");
$query = "SELECT password, salt FROM registered_users WHERE username='$username'";
$result = mysql_query($query);
if(mysql_num_rows($result) < 1) //no such user exists
{
echo 'false';
header('Location: index.php');
}
$userData = mysql_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );
if($hash != $userData['password']) //incorrect password
{
echo 'false';
header('Location: index.php');
}
else
{
echo 'true';
$_SESSION['username']=$row['username'];
}
session_write_close();
Heres how i hash my pass
// hash the password using sha256 a string of 64 characters
$hash = hash('sha256', $password);
// create the salt, random string of characters appened to hash
function createSalt()
{
$string = md5(uniqid(rand(), true));
return substr($string, 0, 3);
}
$salt = createSalt();
$hash = hash('sha256', $salt . $hash);
Heres how i insert my data
mysql_query("INSERT INTO registered_users(username, name, email, password,salt)VALUES('$username', '$name', '$email', '$hash', '$salt')");
header("location: index.php?remarks-success");
mysql_close($con);
?>
Make sure you are storing the password in the database the same way you are checking it here.
So to put it in you should create the hash by first hashing the password, then rehashing it with a salt. If they don't match, then there is your problem.
Related
I have created a simple php login form which connects to a database and checks the validity of username and password. If they are correct it allows access if not an error message is displayed. My problem is that when I go to my login page it is automatically giving me an error message saying"invalid user etc" before i have even attempted to login in. Any suggestions as to why this might be?
<?php
session_start();
include('conn.php');
$theUserID = $_POST['userID'];
$theUserPassword = $_POST['password'];
$query = "SELECT userID, firstName, password FROM user INNER JOIN password ON user.passwordID=password.passwordID WHERE userID='$theUserID' AND password='$theUserPassword'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
if(mysqli_num_rows($result)>0){
//let them in
$_SESSION['myuser40058058']=$theUserID;
Header("Location:index.php");
}
else{
$message = "Incorrect Username or Password";
echo "<script type='text/javascript'>alert('$message');</script>";
}
?>
<?php
session_start();
check if the form was posted and user and password are set
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['userID']) && isset($_POST['password'])){
THIS IS ABSOLUTE UNSECURE !!!
check Paths for include and test values of the form!!
include('conn.php');
$theUserID = $_POST['userID'];
$theUserPassword = $_POST['password'];
THIS IS UNSECURE !!!
use at least a $mysqli->real_escape_string($YOUR_VARIABLES) in the query
$query = "SELECT userID, firstName, password FROM user INNER JOIN password ON user.passwordID=password.passwordID WHERE userID='$theUserID' AND password='$theUserPassword'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
if(mysqli_num_rows($result)>0){
//let them in
$_SESSION['myuser40058058']=$theUserID;
Header("Location:index.php");
}else{
$message = "Incorrect Username or Password";
echo "<script type='text/javascript'>alert('$message');</script>";
}
}
?>
I am creating login in angularjs, in login.phppage i am verify whether user exist or not by number of rows exist or not means using rowCount() in php pdo but it always return 0 result. here is my php file:
<?php
/*
* Collect all Details from Angular HTTP Request.
*/
$postdata = file_get_contents("php://input");
$request = json_decode($postdata);
$email = $request->email;
$pass = $request->password;
$user ="root";
$pass ="m2n1shlko";
$dbh = new PDO('mysql:host=localhost;dbname=blog_db', $user, $pass);
$query = $dbh->prepare("SELECT * FROM `signup_tbl` WHERE `email`='$email' AND `password`='$pass'");
$query->execute();
$count = $query->rowcount();
if($count>0){
echo "You have sucessfully login with this Email: ".$count; //this will go back under "data" of angular call.
}else{
echo "Error While Authentication with this Email: " .$count;
}
/*
* You can use $email and $pass for further work. Such as Database calls.
*/
?>
Data from the controller get here I didn't know where i am missing the code. Apreciate if help .. Thanks
You overwrite $pass to database (line 13) and for user (line 8). Change database password to $db_pass.
...
$email = '...';
$pass = $request->password;
...
$db_pass = '...';
...
$dbh = new PDO('mysql:host=localhost;dbname=blog_db', $user, $db_pass); // $pass to $db_pass
Its $query->rowCount(); NOT $query->rowcount();
$count = $query->rowCount();
if($count>0){
echo "You have sucessfully login with this Email: ".$count; //this will go back under "data" of angular call.
}else{
echo "Error While Authentication with this Email: " .$count;
}
Read Manual rowCount
I have done in my local system,it's working good,Try like below example,this is working fine.just follow this example and do your code right way:
<?php
$host = "localhost";
$username = "root";
$password = "";
$dbname = "xxx";
// Create connection
$conn = new PDO('mysql:host=localhost;dbname=xxx', $username, $password);
$query =$conn->prepare("select * from testing");
$query->execute();
$count = $query->rowCount();
echo "Counting:".$count;
?>
Output:-
Counting:3
i have a page login
in page have html form with textboxes and submit button
and in top of page i have PHP code thet chacke if name and password in database
if name and password in database page go to new page and pass the name and password to next page
i can do it with get metod like the vars in the URL
but i want to pass and go to new page with Post metod
how i can do it??
pleas help me with code....
in code html :
form name="frmlogin"action="<?= $_SERVER['PHP_SELF'] ?>" method="post" >
and in top of the page have PHP code:
$msg = "";
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$name = $_POST["name"];
$password = $_POST["password"]; if ($name == '' || $password == '') {
$msg = "You must enter all fields";
} else {
$sql = "SELECT * FROM tbluser WHERE fldUsername = '$name' AND fldPass = '$password'";
$query = mysql_query($sql);
if ($query === false) {
echo "Could not successfully run query ($sql) from DB: " . mysql_error();
exit;
}
if (mysql_num_rows($query) > 0) {
/*header('Location: YOUR_LOCATION');
exit;*/
$msg = "Username and password match";
echo '<script type="text/javascript">
window.location.href = "smartphon100.php?name='. $name .'&password='. $password .'";
}
if (mysql_num_rows($query) <= 0) {
$msg = "Username and password do not match";
}
}
}
help me to change the javascript window.location to post metod
You can go for php redirect also.
header('location:smartphon100.php?name='. $name .'&password='. $password) ;
BTW: you are passing password in browser?
If I understand correctly, you're trying to redirect a user after successfully logging in.
I see that your current code attempts to redirect using Javascript, the issue seems to be with the quotes on the value you tried to enter.
Try to change this line:
window.location.href = "smartphon100.php?name='. $name .'&password='. $password .'";
to this:
window.location.href = "smartphon100.php?name='.$name.'&password='. $password";
Overall you should read about security as the code you presented is very vulnerable.
PHP: SQL Injection - Manual
If you're trying to pass the values to another page in a POST method using Javascript, you could take a look at this answer:
JavaScript post request like a form submit
Although as I don't see a reason for posting the values more than once,
I recommend you to read about PHP sessions, cookies, and encryption, which allow you to store values that you can use across the website securely.
A simple example to using session:
<?php
//Starts the session, you need to use this line in every PHP file that'll need to access session variables
session_start();
$_SESSION['user'] = "Donny"; //Storing a user name
?>
A simple example of session use with your code:
Foo.php
session_start();
$msg = "";
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$name = $_POST["name"];
$password = $_POST["password"]; if ($name == '' || $password == '') {
$msg = "You must enter all fields";
} else {
$sql = "SELECT * FROM tbluser WHERE fldUsername = '$name' AND fldPass = '$password'";
$query = mysql_query($sql);
if ($query === false) {
echo "Could not successfully run query ($sql) from DB: " . mysql_error();
exit;
}
if (mysql_num_rows($query) > 0) {
$_SESSION['user'] = $name;
$_SESSION['pass'] = $password;
$msg = "Username and password match";
echo '<script type="text/javascript">window.location.href = "smartphon100.php";</script>';
}
if (mysql_num_rows($query) <= 0) {
$msg = "Username and password do not match";
}
}
}
Bar.php
<?php
session_start();
//Accessing the values:
echo $_SESSION['user'];
echo $_SESSION['pass'];
?>
NOTE:
It's not good to store values like that as again, they're not secure, please read about hashing passwords.
PHP: Password Hashing
Please anyone solve my problem my code execute automatically. Here it is.
$con=mysql_connect("localhost","root","") or die('Not Connected');;
mysql_select_db("reg");
if (isset($_POST['submit'])) {
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
$username = $_POST['user'];
$password = $_POST['password'];
$cpassword = $_POST['cpassword'];
if($fname=='' or $lname=='' or $email=='' or $username==''
or $password=='' or $cpassword==''){
echo "<script>alert('Please Fill Out Blank Fields')</script>";
exit();
}
}
$query="INSERT INTO `form`(`ID`, `fname`, `lname`, `email`, `username`, `password`, `cpassword`)
VALUES (NULL, '$fname','$lname','$email','$username','$password','$cpassword')";
if (mysql_query($query)) {
echo "<script>alert('Registered Successfully')</script>";
}
"Here is my question: Is that when i refresh the page the last code executes automatically" Please check my code.
Thanks.
<?php
function destroy_foo()
{
global $foo;
unset($foo);
}
$foo = 'bar';
destroy_foo();
echo $foo;
?>
First, put the last 3 lines inside the if block. This will ensure that the query only executes if there is a POST request.
To handle the refresh problem, use the Post-Redirect-Get pattern to ensure that the data isn't reposted. If the query executes successfully, redirect to a new page, and show a success message there.
if (isset($_POST['submit'])) {
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
$username = $_POST['user'];
$password = $_POST['password'];
$cpassword = $_POST['cpassword'];
if($fname=='' or $lname=='' or $email=='' or $username==''
or $password=='' or $cpassword==''){
echo "<script>alert('Please Fill Out Blank Fields')</script>";
exit();
}
// Run this query only if something was POSTed.
$query="INSERT INTO `form`(`ID`, `fname`, `lname`, `email`, `username`, `password`, `cpassword`)
VALUES (NULL, '$fname','$lname','$email','$username','$password','$cpassword')";
if (mysql_query($query)) {
// Redirect to successpage.php, and print the success message there.
header("Location: successpage.php");
exit();
// echo "<script>alert('Registered Successfully')</script>";
}
}
Alternatively, if you really want to stay on the same page, you could redirect to this page itself, with some query string, and display the appropriate message upon receiving the same:
if (isset($_POST['submit'])) {
...
if (mysql_query($query)) {
// Redirect to the same page, with a query string indicating success
header("Location: thesamepage.php?success=1");
exit();
}
}
// Check if registration was successful
if(isset($_GET['success'])) {
// Display the success message.
echo "<script>alert('Registered Successfully')</script>";
}
I think your code is kinda confuse.
Look:
/
/ connect.php
/ (pagewithform).php
/ (scripttoregister).php
connect.php
<?php
$server = "server";
$user = "user";
$pass = "pass";
$db = "db";
$connect = mysql_connect($server, $user, $pass);
if ( ! $connect ){
echo mysql_error();
exit;
} else{
mysql_select_db("$db", $connect);
}
?>
Creates vars, if not $connect, show erros and exit. Else, select your db.
_
(scripttoregister).php
include('connect.php');
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
$username = $_POST['user'];
$password = $_POST['password'];
$cpassword = $_POST['cpassword'];
if (empty($fname) or empty($lname) or empty($email) or empty($username) or empty($password) or empty($cpassword){
echo "<script>alert('Please Fill Out Blank Fields')</script>";
exit();
} else{
$query= mysql_query("INSERT INTO form(fname, lname, email, username, password, cpassword) VALUES ('$fname','$lname','$email','$username','$password','$cpassword')");
echo "alert('Registered Successfully')";
}
?>
Like this^
You have no need to create another if to just show alert neither set NULL to id, it's auto_increment. (: now you can add any action if(something is empty){} and else{}.
_
OOOOR in case of self-page (your)
if (isset($_POST['submit'])) {
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
$username = $_POST['user'];
$password = $_POST['password'];
$cpassword = $_POST['cpassword'];
if (empty($fname) or empty($lname) or empty($email) or empty($username) or empty($password) or empty($cpassword){
echo "<script>alert('Please Fill Out Blank Fields')</script>";
exit();
} else{
$query= mysql_query("INSERT INTO form(fname, lname, email, username, password, cpassword) VALUES ('$fname','$lname','$email','$username','$password','$cpassword')");
// Redirect to a page, 'n print the success message there. (as said John Bupit)
header("Location: page.php");
exit();
// echo "<script>alert('Registered Successfully')</script>";
}
}
Every time I leave any textbox unfilled for the 1st time, it would be registered to the db same as if I leave all the textboxes empty but when you do it for the 2nd time (any of the two), that would be the time the alert box would pop-up... I don't what to do.
Help me please.
Here's my code:
<?php
ini_set('display_errors', 0);
$email= $_POST['email'];
$user= $_POST['user'];
$password= $_POST['password'];
$image =($_FILES['image']['name']);
$submit= $_POST['submit'];
if (empty($email) || empty($password) || empty($user) )
{
echo "<script type='text/javascript'>
alert('You did not complete all of the required fields');
window.location='blah2.php';
</script>";
}
if(isset($submit))
{
$con = mysqli_connect("localhost", "root", "", "top")
or die('error in connection'.mysqli_connect_error());
$q = "SELECT username , email FROM registries WHERE username = ? OR email = ?";
$stmt = mysqli_prepare ($con, $q);
mysqli_stmt_bind_param($stmt, 'ss', $user, $email);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $user , $email);
mysqli_stmt_store_result($stmt);
$result = mysqli_stmt_num_rows($stmt);
if($result > 0)
{
echo "<script type='text/javascript'>
alert('Email address or Username is already taken. Please pick another one.');
window.location='blah2.php';
</script>";
}
else
{
$q="INSERT INTO registries VALUES (?,?,?,?)";
$stmt = mysqli_prepare($con, $q);
move_uploaded_file($_FILES["image"]["tmp_name"],"uploads/" . $_FILES["image"]["name"]);
mysqli_stmt_bind_param($stmt, 'ssss', $email, $user, $password, $image);
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
mysqli_stmt_close($stmt);
header('Location: blah.php');
}
}
with this
$submit= $_POST['submit'];
$submit is always set
maybe you could try
if (isset($_POST['Submit']))
and for debugging purpose you could try to var_dump $email, $password and $user and check if maybe they are really empty when you post your form once or twice
If I understand you right then just move
if(isset($submit)){
on top of your code right after
ini_set('display_errors', 0);