0

Trying to develop a simple CRUD application piecing together tutorials from the net, just now I'm working on the login and this is proving to be a slight problem. I can register a user and it will add a record to the database, but when I try logging in it fails every time. My code sample is below, any help would be greatly appreciated.

Index.php

require("config.php"); 
$submitted_username = ''; 
if(!empty($_POST)){ 
    $query = " 
        SELECT 
            userid, 
            username, 
            password, 
            salt, 
            email 
        FROM wt_users 
        WHERE 
            username = :username 
    "; 
    $query_params = array( 
        ':username' => $_POST['username'] 
    ); 

    try{ 
        $stmt = $db->prepare($query); 
        $result = $stmt->execute($query_params); 
    }   
    catch(PDOException $ex){ die("Failed to run query: " . $ex->getMessage()); } 
    $login_ok = false; 
    $row = $stmt->fetch(); 
    if($row){ 
        $check_password = hash('sha256', $_POST['password'] . $row['salt']); 
        for($round = 0; $round < 65536; $round++){
            $check_password = hash('sha256', $check_password . $row['salt']);
        } 
        if($check_password == $row['password']){
            $login_ok = true;
        } 
    } 

    if($login_ok){ 
        unset($row['salt']); 
        unset($row['password']); 
        $_SESSION['users'] = $row;  
        header("Location: secret.php"); 
        die("Redirecting to: secret.php"); 
    } 
    else{ 
        print("Login Failed."); 
        $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
    } 
}

config.php

// These variables define the connection information for your MySQL database 
$username = "*******"; 
$password = "***********"; 
$host = "*********"; 
$dbname = "********"; 

$options = array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8'); 
try { $db = new PDO("mysql:host={$host};dbname={$dbname};charset=utf8", $username, $password, $options); } 
catch(PDOException $ex){ die("Failed to connect to the database: " . $ex->getMessage());} 
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
$db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC); 
header('Content-Type: text/html; charset=utf-8'); 
session_start();

loggedin.php

require("config.php");
if(empty($_SESSION['users'])) 
{
    header("Location: index.php");
    die("Redirecting to index.php"); 
}

Plan is to display a CRUD interface once the user has logged in, but for the moment I can't get them logged in..

classicjonesynz
  • 4,012
  • 5
  • 38
  • 78
Alex6534
  • 7
  • 1
  • 7
  • 1
    Why do you hash the same password more than once? it doesn't make it any more [secure](http://www.sitepoint.com/forums/showthread.php?552072-Double-Hashing-Passwords-for-Extra-Security). – classicjonesynz Apr 20 '14 at 23:05
  • 1
    yes as @Killrawr said hashing multiple times dosent make the password more secure also sha 256 is out dated use bcrypt – Dev Man Apr 20 '14 at 23:08

0 Answers0