Can't get php password_verify() to work - php

I'm using php 7 and postgres and I'm failing to get this password hash thing down.
Here's my user Registration. It's outputting passwords to the db similar to "$2y$10$1GWNRZokmwGR1/dxnMRiOuw4/dNh2IzH9O2QvIu5wjlLAX2OZRW5G" which seems to work:
<?php
include 'core/init.php';
if (empty($_POST) === false) {
$required_fields = array('username', 'password', 'confirm_password', 'first_name', 'last_name', 'email_address', 'phone',
'department', 'group_role');
foreach ($_POST as $key => $value) {
if (empty($value) && in_array($key, $required_fields) === true) {
$errors[] = 'Fields marked with asterisk are required';
break 1;
}
}
}
if (empty($errors) === true) {
if (user_exists($_POST['username']) === true) {
$errors[] = 'Sorry, the username \'' . $_POST['username'] . '\' is already taken';
}
if (preg_match("/\\s/", $_POST['username']) == true) {
$errors[] = 'Your useranme must not contain any spaces';
}
if (strlen($_POST['password']) < 14) {
$errors[] = 'Your password must be at least 14 characters';
}
if ($_POST['password'] !== $_POST['confirm_password']) {
$errors[] = 'You passwords do not match';
}
if (filter_var($_POST['email_address'], FILTER_VALIDATE_EMAIL) === false) {
$errors[] = 'A valid email address is required';
}
if (email_exists($_POST['email_address']) === true) {
$errors[] = 'Sorry, this email \'' . $_POST['email_address'] . '\' is already registered';
}
}
if (isset($_GET['success']) && empty($_GET['success'])) {
include 'include/iHead.php';
include 'include/widgets/login.php';
include 'include/widgets/login_report.php';
if (empty($errors) === false) {
?>
<h3>Registration Successful! You will receive an email once your registration is approved. </h3>
<?php
include 'include/widgets/login_rpt.php';
}
} else {
if (empty($_POST) === false && empty($errors) === true) {
$user_req = $_POST['username'];
$password = $_POST['password'];
$hashedPassword = password_hash($password, PASSWORD_DEFAULT)."\n";
$register_data = array(
'username' => $_POST['username'],
'password' => $hashedPassword,
'first_name' => $_POST['first_name'],
'last_name' => $_POST['last_name'],
'email_address' => $_POST['email_address'],
'phone' => $_POST['phone'],
'department' => $_POST['department'],
'region' => $_POST['region'],
'group_role' => $_POST['group_role'],
'active' => 0
);
register_user($register_data);
header('Location: register.php?success');
exit();
} else if (empty($errors) === false) {
include 'include/iHead.php';
include 'include/widgets/login.php';
include 'include/widgets/login_report.php';
if (empty($errors) === false) {
?>
<h3>Registration unsuccessful: </h3>
<?php
echo output_errors($errors);
include 'include/widgets/login_rpt.php';
}
}
}
function email_exists($email) {
$email = sanitize($email);
// echo "SELECT COUNT (userid) FROM user_profiles WHERE email_address = '$email'";
return (pg_fetch_result(pg_query("SELECT COUNT (userid) FROM user_profiles WHERE email_address = '$email'"), 0) == 1) ? true : false;
}
?>
And here is my login script:
<?php
include 'core/init.php';
if (empty($_POST) === false) {
$username = $_POST['username'];
$password = $_POST['password'];
if (empty($username) === true || empty($password) === true) {
$errors[] = 'Please enter a username and password';
} else if (user_exists($username) === false) {
$errors[] = 'Username not found. Please register.';
} else if (user_active($username) === false) {
$errors[] = 'Account not active';
} else {
if (strlen($password) > 32) {
$errors[] = 'Password too long';
}
$hash = login($username, $password);
if (password_verify($password, "$hash")) {
$_SESSION['userid'] = $login;
header('Location: main.php');
exit;
} else {
$errors[] = " Username & Password are incorrect";
}
}
} else {
header('Location: index.php');
}
include 'include/iHead.php';
include 'include/widgets/login.php';
include 'include/widgets/login_report.php';
if (empty($errors) === false) {
?>
<h3>login unsuccessful: </h3>
<?php
echo output_errors($errors);
include 'include/widgets/login_rpt.php';
include 'include/eFoot.php';
}
function login($username, $password) {
$user_id = get_id($username);
$username = sanitize($username);
// $hash = password_hash($password, PASSWORD_DEFAULT);
$row = pg_fetch_assoc(pg_query("SELECT password FROM user_profiles WHERE username = '$username'"));
$hash = $row['password'];
return $hash;
}
?>
I'm new to php, so any help would be outstanding!!!


Okay, thank you for your answers, but none of you were correct. I had to use pg_escape_string prior to the hash and verify functions. Simple, simple, simple....

Related

log in with Arabic characters

I made a php registration & log-in script. Registration part is OK with Arabic and English characters.
However, Log-in with Arabic characters in not working while with English characters, it works.
Any hint for me to proceed please?
This is my code. I hope it is clear.
function login($username, $password){
$user_id = user_id_from_username($username);
$username = sanitize($username);
$password = md5($password);
return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `password` = '$password'"), 0 ) == 1) ? $user_id :false;}
function user_id_from_username($username){
$username = sanitize($username);
return mysql_result(mysql_query("SELECT `user_id` FROM `users` WHERE `username` = '$username'"), 0, 'user_id');}
<?php
if (empty($_POST) === false) {
$username = $_POST['username'];
$password = $_POST['password'];
if (empty($username) === true || empty($password) === true) {
$errors[] = ' ◄ يجب آلا تكون الحقول فارغة!';
} else if (user_exists($username) === false) {
$errors[] = '◄ إسم المستخدم الذي أدخلته غير مسجل لدينا !!';
} else if (user_active($username)=== false){
$errors[] = '';
} else {
if(strlen($password) > 32){
$errors[] = '◄ كلمة المرور غير صالحة ! ';
}
$login = login($username, $password);
if ($login === false) {
$errors[] = '◄ يوجد خطاء في البيانات التي أدخلتها.. تأكد من اللغة أو حالة الأحرف !!';
}else{
//set the user session للمستخدم الحالي فقط
$_SESSION['user_id'] = $login;
// redirect user
header ('location: challengersland-cboard.php');
exit();
}
}
} else {
$errors[] = 'عذرا، لم يتم إستلام أية بيانات.';
}
if(empty($errors) === false) {
?>
<h3>▼ عذراً،حدثت الأخطاء التالية أثناء محاولتك تسجيل الدخول ▼</h3>
<?php
echo output_errors($errors);
}
?>

Not redirecting to home page (index.php)

Is there something wrong about my code? It works but its not redirecting to my index.php it always ended up in the login.php where the form is located.
<?php
include 'core/ini.php';
if (empty($_POST) === false) {
$username = $_POST ['username'];
$password = $_POST ['password'];
if (empty ($username) === true || empty ($password) === true ) {
$errors[] = 'You need to enter a username and password!';
} else if (user_exists($username) === false) {
$errors[] = 'We can\'t find that username. Have you registered?';
} else if (user_active($username) === false) {
$errors[] = 'You haven\'t activated your account! ';
} else {
$login = login($username, $password) ;
if ($login === false) {
$errors[] = 'That username/password combination is incorrect ';
} else {
$_SESSION['user_id'] = $login;
header('Location :index.php');
exit();
}
}
print_r($errors);
}
?>
thanks!
EDIT *
this is my login.php
<?php
include 'core/ini.php';
if (empty($_POST) === false) {
$username = $_POST ['username'];
$password = $_POST ['password'];
if (empty ($username) === true || empty ($password) === true ) {
$errors[] = 'You need to enter a username and password!';
} else if (user_exists($username) === false) {
$errors[] = 'We can\'t find that username. Have you registered?';
} else if (user_active($username) === false) {
$errors[] = 'You haven\'t activated your account! ';
} else {
$login = login($username, $password) ;
if ($login === false) {
$errors[] = 'That username/password combination is incorrect ';
} else {
$_SESSION['user_id'] = $login;
header('Location :index.php');
exit();
}
}
print_r($errors);
}
?>
this is where the process go. I don't know where should I put my start session but I don't know why it works without having an error.

change header('Location :index.php'); to header('Location: index.php'); That space might be the cause.

I guess you missed the session_start(); on top of the page since you are storing session. Initiate the session_start();.
Also does your login() function returns TRUE? Echo something to check whether the function returns TRUE as expected.

You hae to use session_start on top of page and I think you should remove exit after headerlocation..

Wordpress after checking username and password how log in

hi i created this code below in my wordpress theme within my login.php page i created conditional statements successfully without any problem but in my last if statement when the username and password is correct i can't when this statement is correct i log in?
i want when the username and password is correct directly show legge in username and add the log out link to log out from the theme.
<?php
$error = '';
$success = '';
global $user_identity;
if(isset($_POST['task']) && $_POST['task'] == 'login') {
$username = esc_attr($_POST['login_username']);
$password = esc_attr($_POST['login_password']);
$remember = esc_attr($_POST['login_remember']);
$user = get_user_by('login', $username);
$user_id = $user->ID;
$user_data = get_userdata($user_id);
$user_login = $user_data->user_login;
$user_pass = $user_data->user_pass;
if($username == '' && $password == '') {
$error = 'Please Fill Required Fields!';
}
if($username == '') {
$error = 'Please Enter Your Username';
}
if($password == '') {
$error = 'Please Enter Your Password';
}
if($user_login != $username) {
$error = 'The Username is Incorrect';
}
if($user_pass != $password) {
$error = 'The Password is Incorrect';
}
if($user_login == $username && $user_pass == $password) {
}
}
?>

hey just create array of user data and passed into wp_signon($data,false) see below.
$login_data = array();
$login_data['user_login'] = $username;
$login_data['user_password'] = $password;
$login_data['remember'] = $remember; // set true or false for remember
$user_verify = wp_signon( $login_data, false );
if ( is_wp_error($user_verify) )
{
echo $user->get_error_message();
exit;
} else {
header("Location: " . home_url() . "/login/error/");
}
read document for more detail wp_signon()

handling errors on my login page

my error handling does not seem to work when i click the submit button without entering any of the fields,i can still login what exactly am i missing ?? its seems my validation is not working,
this is my code below
login.php
<?php
include 'core/init.php';
if (empty($_post) === false) {
$username = $_post['username'];
$password = $_post['password'];
if (empty($username) === true || empty($password) === true) {
$errors[] = 'You need to enter a username and password';
} else if (user_exists($username) === false ) {
$errors[] = 'Username not found';
} else if (user_active($username) === false ){
$errors[] = 'You haven\' activated your account';
} else {
if (strlen($password) > 32){
$errors[] = 'Password too long';
}
$login = login($username, $password);
if($login === false){
$errors[] = 'That username/password combination is incorrect';
} else {
$_session['user_id'] = $login;
header('location: index.php');
exit();
}
}
} else {
$errors[] = 'No data recieved';
}
include 'includes/overall/header.php';
if (empty($errors) === false){
?>
<h2> we tried to log you in, but...</h2>
<?php
echo output_errors($errors);
}
include 'includes/overall/footer.php';
?>
my init.php
<?php
session_start();
require 'database/connect.php';
require 'functions/general.php';
require 'functions/users.php';
$errors = array();
?>
general.php
<?php
function sanitize($data){
return mysql_real_escape_string($data);
}
function output_errors($errors) {
return '<ul><li>' . implode('</li><li>', $errors) . '</li></ul>';
}
?>

Use $_POST instead of $_post, they both are different variable, as php is case-sensitive for variable names.

Hashed passwords not matching

I created a registration and a login script which hash the password with salt exactly the same way, however when the user attempts to login using their password, the hashed login password and the one stored in the database differ, it was working a couple of days ago and I haven't changed anything in the login and registration scripts.
Here is what the stored credentials are
DBEMAIL: jd#gmail.com
DBPASSWORD:
addb18f27b6970082727069aa5853116223c5ab46f46a7b07340757804670aef61311ff0254ec45ea78d9ea6d8afb2cefdf3afd6bd4947f6fc558f46703fac1c
Here is what the User inserted credentials are:
UEMAIL: jd#gmail.com
UPASSWORD: 4123363f30664825356a238fe7a568910315e6f6aa8a57d0264844c641e856ab207200f4c75a532b2ebecdbd062bff31da101d973ab0f83eaefd2323a39a4a88
They are hashed using:
$salt = "salinger";
$hashed = hash_hmac("sha512", $password, $salt);
The full registration function (it's messy I know but it works (until now):
function registerUser($firstname, $surname, $email, $password, $secretQ, $secretA, $address, $city, $postcode) {
$flag = array();
$validEmail = validateEmail($email);
if (($validEmail) == true) {
//Do not flag
} else {
array_push($flag, 1);
}
if ((textOnly("First name", $firstname) == true) || ((textOnly("Surname", $surname)) == true) || ((textOnly("City", $city)) == true)) {
array_push($flag, 1);
}
if ((emptyField($firstname)) || (emptyField($surname)) || (emptyField($email)) || (emptyField($password)) || (emptyField($secretA)) || (emptyField($address)) || (emptyField($city)) || (emptyField($postcode))) {
array_push($flag, 1);
}
if (validPostcode($postcode) == false) {
array_push($flag, 1);
}
if (duplicateEmail($email) == true) {
array_push($flag, 1);
}
if (validatePassword($password) == false) {
array_push($flag, 1);
} else {
$password = validatePassword($password);
}
switch ($secretQ) {
case 1:
$secretQ = "Your mothers maiden name?";
break;
case 2:
$secretQ = "Name of your first pet?";
break;
case 3:
$secretQ = "The name of your high school?";
break;
case 4:
$secretQ = "Your favourite instrument?";
break;
}
$salt = "salinger";
$hashed = hash_hmac("sha512", $password, $salt);
if (!empty($flag)) {
echo "There are errors with your registration, go back and ammend it. <br /> << Back";
} else {
if ((isset($firstname)) && (isset($surname)) && (isset($email)) && (isset($password)) && (isset($secretQ)) && (isset($secretA)) && (isset($address)) && (isset($city)) && (isset($postcode))) {
$sql = "INSERT INTO customer (forename, surname, email, password, secretQ, secretA, address_street, address_city, address_postcode, member_type) VALUES ('$firstname', '$surname', '$email', '$hashed', '$secretQ', '$secretA', '$address', '$city', '$postcode', 'User');";
header("Location: index.php");
} else {
array_push($flag, 1);
}
}
$result = mysql_query($sql);
if (!$result) {
die(mysql_error());
}
}
The login function:
function loginUser($email, $password) {
if (validateEmail($email) == true) {
$sql = "SELECT customerid, forename, email, password, secretA, member_type FROM customer WHERE email = '$email'";
$result = mysql_query($sql);
while ($record = mysql_fetch_array($result)) {
$DBid = $record['customerid'];
$DBemail = $record['email'];
$DBpassword = $record['password'];
$DBforename = $record['forename'];
$DBsecretA = $record['secretA'];
$DBmember = $record['member_type'];
}
if (!$result) {
die(mysql_error());
}
$salt = "salinger";
$hashed = hash_hmac("sha512", $password, $salt);
echo "DBEMAIL: $DBemail DBPASSWORD: $DBpassword <br/>";
echo "UEMAIL: $email UPASSWORD: $hashed <br/>";
if (($email == $DBemail) && ($hashed == $DBpassword)) {
$match = true;
} else {
$match = false;
}
if ($match == true) {
session_start();
$_SESSION['userid'] = $DBid;
$_SESSION['Active'] = true;
$_SESSION['forename'] = $DBforename;
$_SESSION['type'] = $DBmember;
header("Location: member.php");
} else {
echo "Incorrect credentials.";
}
} else {
echo "Invalid email address!";
}
return true;
}

In registerUser, I'd take a closer look at this:
...
if (validatePassword($password) == false) {
array_push($flag, 1);
} else {
$password = validatePassword($password);
}
...
$password will be overwritten, it appears, if it is a valid password. If all the passwords are the same in the database, then it's likely that $password is being set to true, and that's the value that's salted. Depending on how you use validatePassword, you may be able to remove the else-clause, leaving this:
...
if (validatePassword($password) == false) {
array_push($flag, 1);
}
...

Categories