1

I write register function in PHP that use sha1 to hash the passworde and a random salt variable

Her access .php

<?php 

class access{
//connection to db 
  .
  .

public function regidterUser ($username , $password, $salt , $email , $fullnam )
{
echo "insaid regidterUser function  <br/>" ;
echo "password =  <br/>";
echo $password ;
echo "<br/>";
echo "salt =" ;
echo $salt;
echo "<br/>";

$sql = "INSERT INTO user SET username= ? , password= ? , salt=? , email= ? , fullname= ?  ";
$statment = $this->conn->prepare ($sql);

//if error
if(!$statment){
    //throw new Exception($statment->error);
    echo ($statment);
    echo ($this->conn->error);

}
$statment->bind_param("sssss" , $username , $password, $salt , $email , $fullnam);

$returnValue = $statment->execute();
return $returnValue ;


}//end register

public function selectUser ($username)
{
//sql command

    $sql = "SELECT * FROM user WHERE username='$username'";
    $result = $this->conn->query($sql);
    if($result !=null &&( mysqli_num_rows($result) >=1 )){
    //assign results we got to row as associaitive array
    $row = $result ->fetch_array(MYSQLI_ASSOC);

    if(!empty($row)){
       $returArray = $row ;


    }//if


}//if

   return $returArray;

}//selectuser

public function loginto($username ,$password)
{
    echo "log in function <br/>"; 
$user = $this->selectUser ($username);
if($user){
$salt = $user["salt"];
echo"Salt = ";
echo $salt ;
echo "<br/>";
echo "passworde from db = <br/> ";
echo $user["password"];
echo "<br/>";
echo "passworde parameter  = <br/> ";
echo $password; //**
echo "<br/>";
$compare = sha1($password.$salt);
echo " String comper is = ";
echo $compare;
echo "<br/>";

if($user["password"]==$compare){
    $returnArray["id"] = $user["id"];
$returnArray["email"] = $user["email"];
$returnArray["fullname"] = $user["fullname"];
$returnArray["ava"] = $user["ava"];
$returnArray["password"] = $user["password"];
$returnArray["salt"] = $user["salt"];
}// sha1

}
return $returnArray;
}//login

}//end of the class
 ?>

here register.php

<?php

$username = htmlentities($_REQUEST["username"]);
$passworde = htmlentities($_REQUEST["passworde"]);
$email = htmlentities($_REQUEST["email"]);
$fullname = htmlentities($_REQUEST["fullname"]);
if(empty($username) || empty($passworde) || empty($email)|| empty($fullname))
{
$returnArray["status"] = "400";
$returnArray["message"] = "missing requre info";

echo json_encode($returnArray);
return; 

}
//sec pass
$salt = openssl_random_pseudo_bytes(20);
echo "in register php <br/>";
echo "salt is <br/>" ;
echo $salt ;
echo "<br/>";
$secured_password = sha1($passworde.$salt);
$passworde = $secured_password;
echo " password is = <br/>";
echo $passworde ;
echo "<br/>";
// build connection
//sec way to biled a conection

//conction to db
  .
  . 
  .
require("secure/access.php");
$acess = new access($host , $user , $pass , $name);
$acess ->connect();

// INSERT USER INFORMATION
$result = $acess -> regidterUser ($username , $passworde, $salt , $email , $fullname );
?>

here the output of register.php ("the echo statment")

    in register php 
salt is 
4Ci���S�*�0)y���P
password is = 
dec6e85ba7d356c20d1853cbb2bbaff3d5561b42
insaid regidterUser function 
password = 
dec6e85ba7d356c20d1853cbb2bbaff3d5561b42
salt =4Ci���S�*�0)y���P
return pass dec6e85ba7d356c20d1853cbb2bbaff3d5561b42

the problem is when i try to login always the log in fail even when iam sure the passworde is correct

and there is the login.php

<?php

$username = htmlentities($_REQUEST["username"]);
$passworde = htmlentities($_REQUEST["passworde"]);


if(empty($username) || empty($passworde) )
{
$returnArray["status"] = "400";
$returnArray["message"] = "missing requre info";

echo json_encode($returnArray);
return; 

}

// build connection
.
.

// log in

$result = $acess -> loginto ($username , $passworde);


if($result){


$returnArray["statuse"] = "200";
$returnArray["message"] = "successful";


}else{
$returnArray["status"] = "400";
$returnArray["message"] = "couldnot found user";

}//else


echo json_encode($returnArray);
?>

here the output of login.php ("the echo statment")

  log in function 
Salt = 4Ci???S?*?0)y???P
passworde from db = 
dec6e85ba7d356c20d1853cbb2bbaff3d5561b42
passworde parameter = 
1
String comper is = a1c1b7b561248821a8e4650267b4d2d30e465685

Notice: Undefined variable: returnArray in /Applications/XAMPP/xamppfiles/htdocs/test1/secure/access.php on line 134 {"status":"400","message":"couldnot found user"}

i wish if someone can help me and tell what is the error in my code many thanks...

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Toola
  • 33
  • 4
  • 1
    ***You shouldn't use [SHA1 password hashes](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1)*** or ***[MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 18 '17 at 15:44
  • You really shouldn't use your own salts on password hashes. – Jay Blanchard Apr 18 '17 at 15:44
  • (You really shouldn't use your own salts on password hashes)pleas can you explan what you mean about that and iam very thankful – Toola Apr 18 '17 at 16:00
  • The PHP password functions provide random salts to each password and are able to verify password hashes with random salts. – Jay Blanchard Apr 18 '17 at 16:02
  • thank you so much for your time , i wish to you the best in your life – Toola Apr 18 '17 at 16:05

0 Answers0