PHP Login Script is not working with salts..how to solve it

Question

I am building a login form which also supports hashing with salts.

I have completed the login form but in my login form, when user doesn't provide password, he is redirected to welcome page & when user submits password, error occurs saying incorrect password even though the submitted password is correct.

Below is my login form:

<?php
if (isset($_POST['login'])) {
    $email        = $_POST['email'];
    $userPassword = $_POST['password'];
    $query        = "SELECT * FROM members WHERE (email='$email')";
    $result = mysql_query($query) or die('mysql error');
    if (mysql_num_rows($result) == 1) {
        $get_user_details = mysql_fetch_array($result);
        $user_id          = strip_tags($get_user_details['user_id']);
        $db_password      = strip_tags($get_user_details['password']);
        $salt             = strip_tags($get_user_details['salt']);
        $sr_user_sub_pass = hash('sha512', $userPassword . $salt);
        if ($user_sub_pass == $db_password) {
            header("location: welcome.php");
        } else {
            echo 'incorrect password';
        }
    } else {
        echo 'user not found';
    }
}
?>

Answer 1

I don't see you declare the $user_sub_pass variable anywhere. That could be the problem.

Answer 2

Change

if ($user_sub_pass == $db_password)

To

if ($sr_user_sub_pass === $db_password)

---

As the others pointed out your code is vulnerable to SQL injection. Use parametrized queries and you won't have to use strip_tags(), check this question.

Also mysql is deprecated so you should you use mysqli*or PDO.

Answer 3

I guess the variable

$user_sub_pass

should be

$sr_user_sub_pass

Hope it can help you.