php - Register & Login password hashing method the same but not working -

-

i saw similar questions here don't think answers apply me, i'm sorry if do..

heres sniplet of code containing both procedures:

note: the login , register works fine without hashing element.

if (isset($_post['username']) && ($_post['password'])) {     $username = trim($_post['username']);     $username = strtolower($username);     $password = trim($_post['password']);     $salt = hash('md5', "$username");     $password = hash('sha256', "$password"."$salt");      $stmt = $dbh->prepare("select `id` `1_users` username=? , password=? limit 1");     $stmt->bindvalue(1, $username, pdo::param_str);     $stmt->bindvalue(2, $password, pdo::param_str);     $stmt->execute();     if ($stmt->rowcount()) {         // match         $results = $stmt->fetch(pdo::fetch_assoc);         $_session['id'] = $results['id'];         $_session['logged_in'] = true;         $_session['ip'] = hash('sha1', "{$_server['remote_addr']}");         header ("location: account.php");     }     else {         $error = 'invalid username/password!';     } }  if (isset($_post['register'])) {     // check fields..     if ((empty($_post['r_username'])) || (empty($_post['r_password'])) || (empty($_post['re_password'])) || (empty($_post['email']))) {         $r_error = 'one of fields empty.';     }      $stmt = $dbh->prepare("select `username` `1_members` `username`=? limit 1");     $username = strtolower($_post['r_username']);     $username = trim($username);     $stmt->bindvalue(1, $username, pdo::param_str);     $stmt->execute();     $row = $stmt->rowcount();     if ($row) {         $r_error = 'that username in use';     }     else if (($_post['r_password']) !== ($_post['re_password'])) {         $r_error = 'the passwords did not match.';     }     else if (strlen($_post['r_username']) <= '3') {         $r_error = 'username short - needs 4 more charicters.';     }     else if (strlen($_post['r_password']) <='5'){         $r_error = 'password not long enough, please make 6-255 charicters or more.';     }     else {         // woohoo lets make account          $password = trim($_post['r_password']);         $salt = hash('md5', "$username");         $password = hash('sha256', "$password"."$salt");         $email = trim($_post['email']);         $stmt = $dbh->prepare("insert `1_members` (`username`, `password`, `email`) values(?,?,?)");        $stmt->bindvalue(1,$username,pdo::param_str);        $stmt->bindvalue(2,$password,pdo::param_str);        $stmt->bindvalue(3,$email,pdo::param_str);        $stmt->execute();        $_session['id'] = $dbh->lastinsertid();         $_session['logged_in'] = true;        $_session['ip'] = hash('sha1', "{$_server['remote_addr']}");         if ($_session['active_cart']) {            header ("location: cart.php");        }        else {            header ("location: account.php");        }     } }

before adding hashing passwords, functioned normal, im unsure on problem is.

debugging:

username: admin1 password: admin1

login procedure turns password to: 927364bb72cee168bd52c45a5d131b5923e2926eb6e8f0f46d6d7e5765cc3401

register procedure creates password as: 927364bb72cee168bd52c45a5d131b5923e2926eb6e8f0f46d6d7e5765cc3401

they match has gone wrong?

also if i've got wrong idea here or if im overlooking important security steps please advise on better methods.

also, i'm not worried email validation , i'm aware there lots of premade snipplets available validating email , getting @ later date.

any cc more welcome.

edit: the script returns "invalid username/password combo".

i suspect database field hashed password small, field must able store 64 characters.

even if can solve problem, have unsafe scheme store passwords (sha256 ways fast hashing passwords). have @ php function password_hash(), generate bcrypt hash , takes care of generation of safe salt. salt part of resulting 62 character string, there no need store salt separately. there exist compatibility pack older php versions.

// hash new password storing in database. // function automatically generates cryptographically safe salt. $hashtostoreindb = password_hash($password, password_bcrypt);  // check if hash of entered login password, matches stored hash. // salt , cost factor extracted $existinghashfromdb. $ispasswordcorrect = password_verify($password, $existinghashfromdb);

this means cannot verify password directly within sql statement, instead read hash database (by username), call password_verify() hash.


Comments

Post a Comment

Popular posts from this blog

java - Intellij Synchronizing output directories .. -

-
i trying build project, run in debug mode , keep getting "synchronizing output directories" in intellij. takes around 5-10 minutes actual build. project empty , stored on local drive. tried invalidate catche has not worked. out of ideas .. had similar issues? most likely, of data on network drive or in profile being synchronized network drive. if on windows, try moving .ideaxxx/system directory , work directory somewhere else on c: drive.
Read more

git - Initial Commit: "fatal: could not create leading directories of ..." -

-
i trying make initial commit git repository on github unity project. followed along this guide am. note: reason or another, couldn't set unity's asset serialization mode force text, settled on mixed (which believe should work). when call git clone --bare . , error. note not creator of repository , contributor (though making initial commit). here's in terminal (i'm using git bash): welcome git (version 1.8.4-preview20130916) run 'git git' display index. run 'git <command>' display specific commands. cheddar@cheddar-pc ~ $ cd documents/ics168swarch/ cheddar@cheddar-pc ~/documents/ics168swarch $ git init initialized empty git repository in c:/users/cheddar/documents/ics168swarch/.git / cheddar@cheddar-pc ~/documents/ics168swarch (master) $ git add . warning: lf replaced crlf in assets/prefabs.meta. file have original line endings in working directory. warning: lf replaced crlf in assets/prefabs/pellet.prefab.meta. file have original
Read more