0

Recently i've been figuring out making a login for my Local PHP application.

I've got everything working except hashing the email (Im using the email for hashing instead of password)

The code that works without hashing -> (This code does not have any hashing)

  • FORM
<?php
session_start();

require_once ("../controller/login_handler.php");
echo("<link rel='stylesheet' type='text/css' href='../stylesheet.css'>");

if(isset($message))
{
echo '<label class="text-danger">' .$message. '</label>';
}

?>


<html>

<form class="login" action="" method="post" name="login">
    <p>Naam</p> <input class="form-input" type="text" name="naam" minlength="3" placeholder="Voer hier jouw naam in"><br><br>
    <p>Email</p> <input class="form-input" type="email" name="email" minlength="7" placeholder="Voer hier jouw email in"><br><br>
    <br>
    <input class="submit-button" name="login" type="submit" value="Login">
</form>

<a href="./index.php">Ga terug naar homepage</a>
  • dbcennect.php
<?php
    // POSTS
    $naam=isset($_POST['naam']) ? $_POST['naam'] : "";
    $email=isset($_POST['email']) ? $_POST['email'] : "";
    $tel=isset($_POST['tel']) ? $_POST['tel'] : "";
    $datum=isset($_POST['datum']) ? $_POST['datum'] : "";
    $tijd=isset($_POST['tijd']) ? $_POST['tijd'] : "";

if(isset($_POST['submittedd'])){
    $dbhost = '127.0.0.1';
    $dbname = '2019inklok';
    $dbuser = 'root';
    $dbpass = '';

    // Attempts to connect to DB
    try {
        $conn = new PDO("mysql:host=$dbhost;dbname=$dbname", $dbuser, $dbpass);
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        echo"Connected succesfully<br>";


    // Error msg if doesnt connect
    } catch(PDOException $e) {
        echo"Connection failed" . $e->getMessage();
    }

    // Sets all data inside database
    $pdoQuery = "INSERT INTO `clocktime`(`naam`, `email`, `tel`, `datum`, `tijd`) VALUES (:naam,:email,:tel,:datum,:tijd)";
    $pdoResult = $conn->prepare($pdoQuery);
    $pdoExec = $pdoResult->execute(array(":naam"=>$naam,":email"=>$email,":tel"=>$tel,":datum"=>$datum,":tijd"=>$tijd,));

    if($pdoExec)
    {
        echo 'good job';
    }else{
        echo 'bad';
    }

    header("location: confirm.php");
}
?>
  • login_handler.php

include_once ("../controller/db_cennection.php");
if(!isset($_SESSION)) 
{ 
    session_start(); 
} 

$dbhost = '127.0.0.1';
$dbname = '2019inklok';
$dbuser = 'root';
$dbpass = '';
$message = '';

// Attempts to connect to DB

try  
{  
     $connect = new PDO("mysql:host=$dbhost; dbname=$dbname", $dbuser, $dbpass);  
     $connect->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);  
     if(isset($_POST["login"]))  
     { 
           if(empty($_POST["naam"]) || empty($_POST["email"]))  
           {  
                $message = '<label>All fields are required</label>';  
           }  
           else  
           {  
                $query = "SELECT * FROM clocktime WHERE naam = :naam AND email = :email";  
                $statement = $connect->prepare($query);  
                $statement->execute(  
                     array(  
                          'naam'     =>     $_POST["naam"],  
                          'email'     =>     $_POST["email"]  
                     )  
                );  


                $count = $statement->rowCount();  
                if($count > 0)  
                {  
                     $_SESSION["naam"] = $_POST["naam"];  
                     header("location:loggedin.php");  
                }  
                else  
                {  
                     $message = '<label>Wrong Data</label>';  
                }  
           }  
      }  

 }   // Error msg if doesnt connect
catch(PDOException $e)
{
    echo"Connection failed" . $e->getMessage();
}
?>

When i achieved this state i was quite happy but what i didnt know is that the hardest part for me was yet to be found out. I've tried atleast 5 hours of figuring out how to do the password hashing but i have not come succesfull. the following code is code that i have tried, i've moved on from md5 hashing since it was told to me it's vulnerable to SQL injection.

I have tried to to the hashing like this ->

  • dbcennect.php
<?php
    // POSTS
    $naam=isset($_POST['naam']) ? $_POST['naam'] : "";
    $email=isset($_POST['email']) ? $_POST['email'] : "";
    $tel=isset($_POST['tel']) ? $_POST['tel'] : "";
    $datum=isset($_POST['datum']) ? $_POST['datum'] : "";
    $tijd=isset($_POST['tijd']) ? $_POST['tijd'] : "";
    $hash = password_hash($email, PASSWORD_DEFAULT);                           // <--
    $secretPW = $hash;                                                         // <--

if(isset($_POST['submittedd'])){
    $dbhost = '127.0.0.1';
    $dbname = '2019inklok';
    $dbuser = 'root';
    $dbpass = '';

    // Attempts to connect to DB
    try {
        $conn = new PDO("mysql:host=$dbhost;dbname=$dbname", $dbuser, $dbpass);
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        echo"Connected succesfully<br>";


    // Error msg if doesnt connect
    } catch(PDOException $e) {
        echo"Connection failed" . $e->getMessage();
    }

    // Sets all data inside database
    $pdoQuery = "INSERT INTO `clocktime`(`naam`, `email`, `tel`, `datum`, `tijd`) VALUES (:naam,:email,:tel,:datum,:tijd)";
    $pdoResult = $conn->prepare($pdoQuery);
    $pdoExec = $pdoResult->execute(array(":naam"=>$naam,":email"=>$hash,":tel"=>$tel,":datum"=>$datum,":tijd"=>$tijd,));  // <--

    if($pdoExec)
    {
        echo 'good job';
    }else{
        echo 'bad';
    }

    header("location: confirm.php");
}

global $secretPW;                                                                   // <--
?>
  • login_handler.php

include_once ("../controller/db_cennection.php");
if(!isset($_SESSION)) 
{ 
    session_start(); 
} 

$dbhost = '127.0.0.1';
$dbname = '2019inklok';
$dbuser = 'root';
$dbpass = '';
$message = '';

// Attempts to connect to DB

try  
{  
     $connect = new PDO("mysql:host=$dbhost; dbname=$dbname", $dbuser, $dbpass);  
     $connect->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);  
     if(isset($_POST["login"]))  
     {  
 // THIS PART - doesnt work.
           $stmt = $connect->prepare("SELECT * FROM clocktime WHERE naam = :naam" );
           $stmt->execute(array(':naam' => $_POST['naam']));
           $row = $stmt->fetch(PDO::FETCH_ASSOC);

           if(count($row)>0) {
                if (password_verify($secretPW, $row['email'])) {
                     $_SESSION['sess_user_id']   = $row['ID'];
                     $_SESSION['sess_username'] = $row['naam'];
                     echo "home.php";
                } else {
                echo "invalid";
                }
           }
 // END OF THIS PART  

           if(empty($_POST["naam"]) || empty($_POST["email"]))  
           {  
                $message = '<label>All fields are required</label>';  
           }  
           else  
           {  
                $query = "SELECT * FROM clocktime WHERE naam = :naam AND email = :email";  
                $statement = $connect->prepare($query);  
                $statement->execute(  
                     array(  
                          'naam'     =>     $_POST["naam"],  
                          'email'     =>     $_POST["email"]  
                     )  
                );  


                $count = $statement->rowCount();  
                if($count > 0)  
                {  
                     $_SESSION["naam"] = $_POST["naam"];  
                     header("location:loggedin.php");  
                }  
                else  
                {  
                     $message = '<label>Wrong Data</label>';  
                }  
           }  
      }  

 }   // Error msg if doesnt connect
catch(PDOException $e)
{
    echo"Connection failed" . $e->getMessage();
}
?>

I hope someone can help me just to get the code to work. Its for education purpose. If there are any security issues i would like to know where i leak them.

Kaede
  • 198
  • 1
  • 11
  • I would consider using a OOP approach and move the login function into a class which then you can just call the functions. It will allow you to add PHPUNit Testing very easily. Try not to hard code any DB access variables like IP and passwords and move them to some sort of config or .env file where you code can fetch them as they need. responding with `echo 'good job';` sounds bad and not very informative. – NashPL Nov 13 '19 at 09:41
  • You need to configure error reporting for PHP and pay attention to every error message. It will give you a clue in most cases. – Your Common Sense Nov 13 '19 at 09:44
  • @NashPL thats some good information, thank you. the 'echo 'good job'' is a notice for myself but youre right, it is bad. – Kaede Nov 13 '19 at 09:46
  • @YourCommonSense I've tried to carefully look at all the errors. But somehow it works. but it doesn't. Like it's really odd. When i enter any type of email it works even tough it doesnt match in the DB. I've tried searching alot on this application but here it doesnt give me the answers i needed to find. – Kaede Nov 13 '19 at 09:50
  • Recommend trying to implement this using composer (composer is very important tool for the PHP dev) https://github.com/filp/whoops – NashPL Nov 13 '19 at 10:03
  • Now, it *is* confusing. In the code you say "THIS PART - doesnt work." and I even see why - $secretPW is not defined anywhere. And now you say "somehow it works". I feel you just need to give it a good sleep over. – Your Common Sense Nov 13 '19 at 10:05
  • @YourCommonSense `$hash = password_hash($email, PASSWORD_DEFAULT); // <-- $secretPW = $hash;` – Kaede Nov 13 '19 at 10:06
  • Is it OK with you that $secretPW = $hash; is written in a completely different file, when handling a completely different form? – Your Common Sense Nov 13 '19 at 10:25
  • @YourCommonSense for now it is, i've made it global so it can be seen in all files – Kaede Nov 13 '19 at 10:33
  • Unfortunately, global doesn't make a variable can be seen in all files. – Your Common Sense Nov 13 '19 at 10:34

0 Answers0