1

Hey i was recently told how md5 is not sufficient for passwords so i have begun changing that. Currently this is the code for my registration script:

<?
session_start();

include 'db.php';

// Define post fields into simple variables
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$username = $_POST['username'];
$email_address = $_POST['email_address'];
$password = $_POST['password'];
$confirm_password = $_POST['confirm_password'];

/* Let's strip some slashes in case the user entered
any escaped characters. */

$first_name = stripslashes($first_name);
$last_name = stripslashes($last_name);
$username = stripslashes($username);
$email_address = stripslashes($email_address);



if((!$username) || (!$email_address)){
    echo 'You did not submit the following required information! <br />';
    if(!$username){
        echo "Username is a required field. Please enter it below.<br />";
    }
    if(!$email_address){
        echo "Email Address is a required field. Please enter it below.<br />";
    }
    include 'register.html'; // Show the form again!
    /* End the error checking and if everything is ok, we'll move on to
     creating the user account */
    exit();  //if the error checking has failed, we'll exit the script!
}


 if ( $password <> $confirm_password ){
    echo "<br /><strong><div style=color:#FF0000;><center>Password and confirm password do not match!<BR></center></div></strong>";
    include 'register.html';
    exit(); 
}


/* Let's do some checking and ensure that the user's email address or username
 does not exist in the database */

 $sql_email_check = mysql_query("SELECT email_address FROM users WHERE email_address='$email_address'");
 $sql_username_check = mysql_query("SELECT username FROM users WHERE username='$username'");

 $email_check = mysql_num_rows($sql_email_check);
 $username_check = mysql_num_rows($sql_username_check);

 if(($email_check > 0) || ($username_check > 0)){
    echo "<br /><div style=color:#FF0000;><center>Please fix the following errors: </div><br /><br />";
    if($email_check > 0){
        echo "<strong><div style=color:#FF0000;><center>Your email address has already been used by another member in our database. Please submit a different Email address!</div><br />";
        unset($email_address);
    }
    if($username_check > 0){
        echo "<strong><div style=color:#FF0000;><center>The username you have selected has already been used by another member in our database. Please choose a different Username!</div><br />";
        unset($username);
    }
    include 'register.html'; // Show the form again!
    exit();  // exit the script so that we do not create this account!
 }

/* Everything has passed both error checks that we have done.
It's time to create the account! */

$db_password = password_hash($passwod, PASSWORD_DEFAULT);

// Enter info into the Database.
$info2 = htmlspecialchars($info);
$sql = mysql_query("INSERT INTO users (first_name, last_name, email_address, username, password, signup_date)
        VALUES('$first_name', '$last_name', '$email_address', '$username', '$db_password', now())") or die (mysql_error());

if(!$sql){
    echo 'There has been an error creating your account. Please contact the webmaster.';
} else {
    $userid = mysql_insert_id();
    // Let's mail the user!
    $subject = "Activation";
    $message = "Dear $first_name $last_name,
    Thank you for registering

    To activate your membership, please click here: http://activate.php?id=$userid&code=$db_password

    Once you activate your memebership, you will be able to login with the following information:
    Username: $username
    Password: $password

    This is the first step towards a steady income from sports betting.  Congratulations!


    Thanks!
    The Team

    This is an automated response, please do not reply!";

    mail($email_address, $subject, $message, "From: Activation<activation@y.com>\nX-Mailer: PHP/" . phpversion());
    echo "<br /><div style=color:#0000FF;><center>Your membership information has been mailed to your email address! Please check it and follow the directions!</div>";
    include 'login.html';
}

?>

And this is the check user script:

<?
/* Check User Script */
session_start();  // Start Session

include 'db.php';
// Conver to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

if((!$username) || (!$password)){
    echo "Please enter ALL of the information! <br />";
    include 'login.html';
    exit();
}

if (password_verify($password, $db_password)) {
    // Success!
}
else {
    echo "Invalid Credentials";
    include 'login.html';
    exit();
    }
// check if the user info validates the db
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
    while($row = mysql_fetch_array($sql)){
    foreach( $row AS $key => $val ){
        $key = stripslashes( $val );
    }

        // Register some session variables! 

        //session_register('email_address');
        $_SESSION["username"] = $username;
        $_SESSION["email_address"] = $email_address;
        //session_register('special_user');
        $_SESSION["user_level"] = $user_level;

        mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'");

        header("Location: daily_picks.php");
    }
} else {
    echo "<center><div style=color:#FF0000;>You could not be logged in! Either the username and password do not match or you have not validated your membership!<br />
    Please try again!<br /></div></center>";
    include 'login.html';
}
?>

Right now i am having trouble with the check user script. When i click sign in nothing happens and it returns invalid credentials. It might be because i am tired but i am lost here on how to implement the check password with this password_hash()

Thanks.

user3205214
  • 65
  • 1
  • 7
  • 2
    1. Your code is so horribly vulnerable to SQL Injections, that not even the strongest hashing algorithm in this universe would be good enough to save your website. 2. Which version of PHP do you use? – Realitätsverlust Apr 22 '15 at 06:11
  • just updated to 5.5 - i guess ill have to look into sql injection as well now. Do you have any input for what i am missing here? would like to get this down before moving on to sql injections – user3205214 Apr 22 '15 at 06:14
  • 1
    Maybe. In the if-condition, you use `if (password_verify($password, $db_password)) {`. Where does the `$db_password` come from and whats it's content? – Realitätsverlust Apr 22 '15 at 06:18
  • $db_password = password_hash($passwod, PASSWORD_DEFAULT); it is the hashed password entered into the database – user3205214 Apr 22 '15 at 06:24

4 Answers4

0

As you told you stored the password as an encrypted value. So while querying you have to use the same encryption mechanism to generate the password before applying in query.

$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='"+fun($password)+"' AND activated='1'");

Where fun() is the encryption function.

Sanjay Kumar N S
  • 4,653
  • 4
  • 23
  • 38
  • this give me an error on the following line Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in checkuser line 19 – user3205214 Apr 22 '15 at 07:01
0

Check your password_verify perhaps. 

if (password_verify($password, $db_password)) {
// Success!
}
else {
    echo "Invalid Credentials";
    include 'login.html';
    exit();
    }
arifhazwan
  • 48
  • 1
  • 7
0

Use password_verify() to check passwords hashed with password_hash() function. Try this..

$hash = password_hash($password, PASSWORD_BCRYPT);
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND 

password='$hash' AND activated='1'");
Bipin Kareparambil
  • 463
  • 4
  • 19
  • i tried this and i get this now: Warning: password_verify() expects exactly 2 parameters, 1 given – user3205214 Apr 22 '15 at 06:34
  • and this Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in – user3205214 Apr 22 '15 at 06:34
  • i still get this: Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in – user3205214 Apr 22 '15 at 06:42
  • could this have to do with $db_password? I am not storing that in the database is that something i need to be doing? Im very confused here. so i get the password from the user and then i encrypt it and save that value as db_password and then i send that off to the db. Should i be storing $password in the database as well? – user3205214 Apr 22 '15 at 06:43
  • do i need to be pulling out the hashed password that is saved in the database and assign it to the variable $db_password before running this line? `$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='"+password_verify($password,$db_password)+"' AND activated='1'");` – user3205214 Apr 22 '15 at 06:47
  • password_verify() function returns bool value. I was wrong.. i just tried another way to do this. check my answer :) – Bipin Kareparambil Apr 22 '15 at 07:06
  • well moved forward a little more. no longer getting the error but now it says passwords do not match when trying to login. im going to play around with it. if you think you know the answer please respond. thanks for all the help so far! – user3205214 Apr 22 '15 at 07:18
  • i think we might be going in wrong direction? doesnt this '$hash = password_hash($password, PASSWORD_BCRYPT);' encrypt a password? i am using this in the register.php file and i need to decrypt it and verify the password the user provided matches it in the checkuser.php – user3205214 Apr 22 '15 at 07:21
  • ahh i see what you are doing . . . hold on i think i got this now . . . – user3205214 Apr 22 '15 at 07:33
  • so i added this echo in my code `$hash = password_hash($password, PASSWORD_DEFAULT); echo "$hash"; // check if the user info validates the db $sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$hash' AND activated='1'");` and the hash that is displayed on the page is not the same as in the database for the user. – user3205214 Apr 22 '15 at 07:38
  • ok nevermind it appears all hashes are different every time i submit login credentials even though it is the same password every time. I am lost and tired. I think im going to have to call it a night for now and try again tomorrow. thanks for the help – user3205214 Apr 22 '15 at 07:41
0
if($login_check > 0){
    // code
}

In this part you check if the username, password and activated is correct, but if you have 2 rows he will set the sessions but you want only one user. Instead using '> 0' use '== 1'. This will do the if statement if you have only one record.

CrazzyMarc
  • 33
  • 8