I set up a dev server and I installed nginx with php-fpm and 7.2 php (I installed all the necessary php packages).
The time has come to upgrade the security of all logins, using the argon2i algo.
So, I tried this (test code in dev enviroment. The security in the code, will come later):
require('connector.php');
$usr_u = $_POST['username'];
$psw_u = $_POST['password'];
$usr = mysqli_real_escape_string($conn, $usr_u);
$psw = mysqli_real_escape_string($conn, $psw_u);
$f_pass = password_hash($psw, PASSWORD_ARGON2I);
$result = "SELECT `username` FROM `users` WHERE username = '$usr'";
$tbl = mysqli_query($conn, $result);
$table = $tbl->fetch_assoc();
$m_user = $table['username'];
if ($m_user == $usr)
{
//correct username
echo 'Correct username!<br>';
$result = "SELECT `password` FROM `users` WHERE username = '$m_user'";
$tbl = mysqli_query($conn, $result);
$table = $tbl->fetch_assoc();
$m_pass = $table['password'];
if (password_verify($m_pass,$f_pass)) //always returns false
{
echo 'Password correct!<br>';
}
else
{
echo 'Wrong password!<br>';
}
}
else
{
echo 'Wrong username!<br>';
}
//close connection
mysqli_close($conn);
I always get "Correct username!" and "Wrong password!". I used echo on hashed password from the DB and from the input and I see that every time the hashed password is different. I assume that the hashing process, include using random salt and there is my issue.
As far as I understand, the random salt is necessary in order to retain the security of the hashing.
Can you please point me to the right direction, on how to solve this? I have the hashed password in my DB and I can't figure out a way to check the input password against the one in my DB (using password_verify and hash_equals).
Thank everyone in advance for the help.
Look at the documentation for password_verify:
bool password_verify ( string $password , string $hash )
The first argument is the password but you are passing it the hash you want to compare it to.
The second argument is the hash you want to compare it to but you are passing it a new hash created from user input.
password_verify($_POST['password'], $m_pass)
Related
for a college project I need to create a simple registration and login function. We are required to hash the password using sha1 (I know its not secure), and add a specific salt at the start of the password. Data is being stored in a mySQL database. The registration.php seems to be working out, but I'm having trouble comparing the password from the html form to the password stored in the database. Been googling for a day now, but I am only finding login-functions using the password_verify() function, which doesn't seem to work with sha1. Apologies if the solution or obvious, VERY new to php.
Didn't include my connection-part of the code, it's working as intended. no matter what I input in the fields in the html-form, I get the "invalid username or password" output no matter what.
$formUsername = mysqli_real_escape_string($connect, $_REQUEST['username']);
$formPassword = mysqli_real_escape_string($connect, $_REQUEST['password']);
$sql = "SELECT passord FROM bruker WHERE brukerNavn = '$formUsername';";
$passwordFraDatabase = mysqli_query($connect, $sql);
$row = mysqli_fetch_assoc($passwordFraDatabase);
$passordSomString = $row['passord'];
$salt = 'IT2_2018';
$passwordFraForm = sha1($salt . $formPassword);
if ($passwordFraForm == $passordSomString) {
echo("Logged in");
}
else echo("invalid username or password");
Edit: To those saying I shouldn't use sha1, read the entire question, I specifically said I was required to use sha1, its a college project.
Since someone asked, this is how the password is registered in the first place:
$email = mysqli_real_escape_string($connect, $_REQUEST['email']);
$username = mysqli_real_escape_string($connect, $_REQUEST['username']);
$password = mysqli_real_escape_string($connect, $_REQUEST['password']);
$salt = 'IT2_2018';
$securepassword = sha1($salt . $password);
$sql = "INSERT INTO bruker (ePost, brukerNavn, passord) VALUES ('$email', '$username', '$securepassword')";
if(mysqli_query($connect, $sql)){
echo "user registered!";
} else{
echo "could not register user " . mysqli_error($connect);
}
In Php default compare function (strcmp) and (==) operator both can compare maximum of 32bit character string.
So more than 32bit character string must be compared using (strncmp) function.
In your case as you using sha1 which producing 160bit string thats why it is not working.
So use strncmp(str1,str2,maximum_length_want_to_compare);
In your case it will be
if (strncmp($passwordFraForm, $passordSomString,160)==0){ echo("Logged in"); } else echo("invalid username or password");
So I just learned about storing passwords with MD5 hash and salt in PHP/MySQL. The method I'm using is md5(md5($row["id"].$password)), so the salt is an MD5 hash of the user's ID in my SQL table (which is an auto-incremented INT), which is concatenated to the inputted password string and then re-hashed.
The problem I'm encountering is that when I trying making a test account, and then logging in with the test account, the hash I generate on logging in isn't matching the hash I created when the account was created.
Login Code:
<?php
$login = mysqli_connect("hiding this info for obvious reasons");
if ($_POST["login"])
{
$email = $_POST["email"];
$password = $_POST["passsword"];
$query = "SELECT * FROM useraccs WHERE email='$email'";
if ($result = mysqli_fetch_array(mysqli_query($login,$query)))
{
$hashpass = md5(md5($result["id"]).$password);
if ($hashpass == $result["password"])
{
$errors = "Logged in succesfully.";
}
}
else
{
$error.= "E-mail/Password do not match anything in our database.";
}
}
?>
Register Code:
<?php
$login = mysqli_connect("hiding this info for obvious reasons");
if ($_POST["submit"])
{
$username = $_POST["username"];
$email = $_POST["email"];
$query = "INSERT INTO useraccs (username,email) values('$username','$email')";
mysqli_query($login,$query);
$query = "SELECT id FROM useraccs WHERE username='$username'";
$userid = mysqli_fetch_array(mysqli_query($login,$query))["id"];
$password = md5(md5($userid).$_POST["password"]);
$query = "UPDATE useraccs SET password='$password' WHERE username='$username'";
mysqli_query($login,$query);
}
?>
As you can see, the way I hash the password in both scenarios is identical, and I have done testing to confirm that I am getting the same value for the ID in both scenarios. I am truly stumped as to why I am not getting a match.
I'd like to mention I am very new to using MySQL/creating login systems, so if I've done anything blatantly wrong or have left out essential information, please let me know.
First of all, please see the warnings in the comments, your code is highly unsure.
Regarding the md5: You are using
mysqli_fetch_array(mysqli_query($login,$query))["id"];
This will always return an array. Be sure to get only the field.
I think i have hashed password using function PASSWORD directly from mysql database(am i doing wrong here?). And i am trying to verify that password with this code:
if($submit)
{
$first=$_POST['first'];
$password=$_POST['password'];
$hash="*85955899FF0A8CDC2CC36745267ABA38EAD1D28"; //this is the hashed password i got by using function PASSWORD in database
$password=password_verify($password,$hash);
$db = new mysqli("localhost", "root","","learndb");
$sql = "select * from admin where username = '" . $first . "' and password = '". $password . "'";
$result = $db->query($sql);
$result=mysqli_num_rows($result);
if($result>0)
{
session_start();
$_SESSION['logged_in'] = true;
session_regenerate_id(true);
header("Location:loginhome.php");
}
}
But the password is not matching. What am i missing here?
UPDATE:
After all the suggestions i have used password_hash from php code to store into database.
$db = new mysqli("localhost", "root","","learndb");
$password=password_hash('ChRisJoRdAn123',PASSWORD_DEFAULT);
$sql="INSERT INTO admin (username,password)values('ChrisJordan','$password')";
$db->query($sql);
still the password is not matching.
One cannot search for a salted password hash in a database. To calculate the hash you need the password_hash() function as you already did correctly in your insert statement.
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);
To check a password, you first need to search by username only (used a prepared query to avoid sql injection):
$sql = 'select * from admin where username = ?';
$db->prepare($sql);
$db->bind_param('s', $first);
When you finally got the stored hash from the database, it can be checked like this:
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
password_verify is a boolean function which return either true or false. In your code, after getting value of password from Post param, you doing this operation
$password=password_verify($password,$hash);
which changes the $password value to true or false and that boolean value stored in $password you are using in mysql select statement
$sql = "select * from admin where username = '" . $first . "' and password = '". $password . "'";
Another thing is it might be possible that the hashed/salted password you are using is not the correct hashed value of the password you are using.
Update: Try this
$cost = [
'cost' => 15,
];
$hash_password = password_hash('ChRisJoRdAn123', PASSWORD_BCRYPT, $cost);
before any db operation, change your password field varchar length to >=64
$sql = "INSERT INTO admin (username,password)values('ChrisJordan','".$hash_password."')";
After insert operation, execute the select statement with the user
$sql = "select * from admin where username = 'ChrisJordan'";
after this fetching hased password and password from the post parameter, you will need to verify both passwords using password_verify
if (password_verify(validate($_POST['password']), $hash_password_from_db)) {
echo "Valid Password";
}else{
echo "Invalid Password";
}
You must use password_hash to encode passwords verified with password_verify.
The MySQL function PASSWORD is something entirely different. It is used for encoding passwords specific to MySQL authentication. (MySQL specifically recommends against using PASSWORD for anything other than MySQL authentication.)
The two use different hashing algorithms, present their output in different formats, and are generally not compatible with each other.
The typical way to use password_hash and password_verify is:
$hash = password_hash($password, PASSWORD_DEFAULT);
//Store $hash in your database as the user's password
//To verify:
//Retrieve $hash from the database, given a username
$valid = password_validate($password, $hash);
The problem in your code is that you're doing this:
$password=password_verify($password,$hash);
$sql = "select * from admin where username = '" . $first . "' and password = '". $password . "'";
password_verify returns a boolean (whether the password and hash matched). Instead, you need to retrieve the hash from the database and match the entered password with that hash.
This is too long for a comment.
Seeing that this question has yet to contain a green tick next to any of the answers, am submitting the following in order to point out probable issues.
I noticed that you are trying to move over from MD5 to password_hash() - password_verify().
Your other question Switching from md5 to password_hash
What you need to know is that MD5 produces a 32 character length string, as opposed to password_hash() being a 60 length.
Use varchar(255).
If you kept your password column's length to 32, then you will need to clear out your existing hashes from that column, then ALTER your column to be 60, or 255 as the manual suggests you do.
You will need to clear out all your existing passwords, ALTER your column, create a new hash, then try your login code again.
I see this in your code:
"*85955899FF0A8CDC2CC36745267ABA38EAD1D28"; //this is the hashed password i got by using function PASSWORD in database
This string *85955899FF0A8CDC2CC36745267ABA38EAD1D28 is 40 long, which is too short and has been cut off.
This tells me that your column's length is 40, instead of 60, or again as the manual suggests, 255.
MD5 reference:
http://php.net/manual/en/function.md5.php
Returns the hash as a 32-character hexadecimal number.
Reference for password_hash():
http://php.net/manual/en/function.password-hash.php
The result will always be a 60 character string, or FALSE on failure.
To ALTER your column, here is a reference link:
http://dev.mysql.com/doc/refman/5.7/en/alter-table.html
Also make sure that your form contains a POST method and that the inputs bear the matching name attributes and that no whitespace gets introduced.
You can use trim() to get rid of those.
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// Then the rest of your code
Sidenote: Displaying errors should only be done in staging, and never production.
as well as or die(mysqli_error($db)) to mysqli_query().
Edit:
What you need to do is fetch an array and get the match on that.
$sql = "select * from admin where username = '".$first."' and password = '".$password."' ";
$result = $db->query($sql);
if ($result->num_rows === 1) {
$row = $result->fetch_array(MYSQLI_ASSOC);
if (password_verify($password, $row['password'])) {
//Password matches, so create the session
// $_SESSION['user']['user_id'] = $row['user_id'];
// header("Location:/members");
echo "Match";
}else{
echo "The username or password do not match";
}
}
Another possible solution:
$query = "SELECT * from admin WHERE username='$first'";
$result = $db->query($query);
if($result->num_rows ===1){
$row = $result->fetch_array(MYSQLI_ASSOC);
if (password_verify($password, $row['password'])){
echo "match";
} else {
$error = "email or Password is invalid";
echo $error;
}
}
mysqli_close($db); // Closing Connection
So, I'm having this issue with my login script where the MD5 password stored in my MySQL database is decrypted and it will check if the password is equal to the one entered.
My code is as follows:
if(isset($_POST['btn-login']))
{
$email = mysqli_real_escape_string($_POST['email']);
$upass = mysqli_real_escape_string($_POST['pass']);
$md5_pass = md5($upass);
$res = mysqli_query($con, "SELECT * FROM users WHERE email='$email'");
$row = mysqli_fetch_array($res, MYSQLI_ASSOC);
if($row['password'] == $md5_pass)
{
$_SESSION['user'] = $row['user_id'];
header("Location: profile.php");
}
else
{ ?>
<script>alert("Wrong details entered!");</script>
<?php
}
}
Both the md5() will be same. You must check your column datatype and number of characters limit.
Check whether your database is having encrypted value. Because you are comparing it with md5() value.
Don't escape before performing md5 on the query.
Ankii's reply can also solve the issue if you have a varchar which is too small.
Also, use a better hashing system (sha512?).
Also, use salt.
I am having problem with bcrypt hash method and mysql. I'm using the Bcrypt class from this answer.
I am creating login script and checking, if password is
correct. I am comparing password from input and hashed
password from DB.
$username= $_POST['username']; //username from input
$pass= $_POST['pass']; //username from input
$query= mysql_query("SELECT pass FROM users WHERE username='$username'");
$row= mysql_fetch_row($query);
$row[0];// hashed password, I echo $row[0] and it shows correct hashed password
$bcrypt = new Bcrypt(15);
$isGood = $bcrypt->verify($pass, $row[0]);
if ($isGood){
echo "Authentication succeeded";
}
else {
echo"Authentication failed";
}
Even $pass is correct, I always get 'Authentication failed'.
Any ideas, what can be wrong?
Thank you in advance.
The pass column in your users table is not wide enough to store the complete hash; it should be at least 60 characters wide, i.e. VARCHAR(60).
Btw, you should check out PasswordLib as well, written and maintained by ircmaxell, which also supports Bcrypt quite well.
Try something like this:
$bcrypt = new Bcrypt(15);
$hash = $bcrypt->hash($pass);
echo $hash.' =? '.$row[0];
And look if it's equal
if yes, try something like this:
var_dump($hash);
var_dump($row[0]);
Must be equal