A simple Registration and login page for a website. I am trying to crypt the password + salting. That's what I have done but I am not sure if its correct.
This is what happens in the registration page:
$blowfish = '$2a$10$';
$salt = '8dF$d_3';
$hashedPass = crypt($password,$blowfish . $salt);
In the database, the password "RAYray99" is stored as "$2a$10$8dF$d_3$$$$$$$$$$$$$$.wxsfa7X.nkcGqldJ9fujdd8eY.H85uC"
On the login page, I am stuck on how to check the password entered with the password in the database.
This is the loging php script that verifies the user:
mysql_connect("$db_host", "$db_username", "$db_pass") or die(mysql_error());
//select the database or return error message
mysql_select_db("$db_name") or die("database does not exist");
$email = stripslashes($_POST['email']);
$email = strip_tags($email);
$email = mysql_real_escape_string($email);
$password = ereg_replace("[^A-Za-z0-9]", "", $_POST['password']); // filter everything but numbers and letters
$password = crypt($password);
$sql = mysql_query("SELECT * FROM members WHERE email='$email' AND password='$password' AND activateemail='1'");
$login_check = mysql_num_rows($sql);
if($login_check > 0){
while($row = mysql_fetch_array($sql)){
// Get member ID into a session variable
$id = $row["id"];
session_register('id');
$_SESSION['id'] = $id;
// Get member username into a session variable
$username = $row["username"];
session_register('username');
$_SESSION['username'] = $username;
// Update last_log_date field for this member now
mysql_query("UPDATE members SET lastlogin=now() WHERE id='$id'");
// Print success message here if all went well then exit the script
header("location: account.php");
exit();
} // close while
} else {
// Print login failure message to the user and link them back to your login page
print '<br /><br /><font color="#FF0000">ERROR TRY AGAIN </font><br />;
exit();
}
My question is how would I verify the login passsword entered on the login page with the 1 in the database.
Thank you,
Ray
To verify the password you should be hashing the entered one exactly the same way you did when you stored it in the first place.
I see some issues with what you have. First, the blowfish string for crypt() specifies, according to the PHP docs, that after your $2a$10$ should be a 22 character string from the alphabet of ./0-9A-Za-z. Your salt isn't following that, so the hash function is probably failing completely (though I'm not certain).
Also, your salt shouldn't be a constant in your app, it should be unique to each user and stored in the db along with their hashed password.
Finally, you shouldn't be doing those transformations to the password before hashing it. Break out a function that has the plaintext password as input, and outputs the hashed password. Use this function both when you store the password, and when you attempt to validate the login. That way you know for sure it should match the database.
I am using a mapper for my sql queries (doctrine2).
My passwords are saved with md5 + salt in my db
public function setPassword($password) {
$this->_password = self::encodePassword ( $password );
return $this;
}
/**
* This function encodes the password to md5 after adding a salt
* #param string $password
*/
public static function encodePassword($password) {
$salt = 'dsa7893ujlksdsagkz27392kjsjaldksju928ikljda27';
return md5 ( $password . $salt );
}
My login looks like this ...
/**
* Executes an authentication try
*
* #throws Zend_Auth_Adapter_Exception if the authentication failed
* #return Zend_Auth_Result
*/
public function authenticate()
{
//check if login is correct
try{
$user = $this->_em->getRepository('App_Model_User')
->findOneBy(
array(
'_email' => $this->_login,
'_password' => App_Model_User::encodePassword( $this->_password )
)
);
}catch( Exception $e ){
throw new Zend_Auth_Adapter_Exception( 'authentication failed', 0, $e );
}
.............
$password = $_POST['password'];
$str = "$2a$10$8dF$d_3$$$$$$$$$$$$$$.wxsfa7X.nkcGqldJ9fujdd8eY.H85uC";
if (preg_match('/^(.{7})(.{7})(.+?)$/', $str, $m))
{
$blowfish = $m[1];
$salt = $m[2];
$hashedPass = $m[3];
$validHashedPass = crypt($password,$blowfish.$salt);
if ($validHashedPass == $hashedPass)
{
good pass
}
else
{
wrong auth
}
}
I have a class built just for this case. It uses the sha1() hashing function and PDO prepared statements to prevent SQL injections. I'll try to find it and post it here, but if I don't, this is my advice to you:
Use a hashing function, not a crypting one.
Don't use mysql_* as it does not support prepared statements. Use PDO or at the very leat, mysqli.
As #Brad pointed out it'll be simpler (and to some extent safer) to hash the passwords instead of encrypting them.
MySQL supports both MD5 and SHA1 hashes anyhow.
One of the advantages of going this route is you can do either:
$pass = md5($salt . $pass);
$SQL = "SELECT * FROM users WHERE username = '$user' AND pass = '$pass';";
OR directly on the database
$SQL = "SELECT * FROM users WHERE username = '$user' AND pass = MD5('{$salt}{$pass}')";
Related
I'm using PHP's password hashing API to hash and verify my passwords on a site I'm building, however whenever I try and verify my password it always returns false.
I have a User class which sets the password before they are inserted into the database:
public function set__password($passwd) {
self::$password = password_hash($passwd, PASSWORD_BCRYPT, array('cost' => 12));
}
If the username and email is unique the new user row is inserted - upon checking my database I have what seems to be a valid BCRYPT string for my password:
$2y$12$lTMEP0wevDEMX0bzStzoyOEzOTIAi3Hyhd3nYjGwzbI
To verify my password, I run the following script:
$username = $_POST['username'];
$password = $_POST['password'];
$DB = Database::getInstance();
// Get the stored password hash
$res = $DB->run__query('SELECT password FROM users WHERE username = "' . $username . '"');
$hash = $res[0]['password'];
// Do the passwords match?
if(password_verify($password, $hash)) {
echo 'success';
} else {
echo 'failed';
}
$hash pertains to the string quoted above, however when I then call password_verify($password, $hash) where $password is the plain-text password retrieved from my input field, I always receive a value of false.
The given hash string example has 50 characters instead of 60. Double-Check the database - CHAR(60) - and var_dump($hash).
Other problem that you can have, is when you reduce the cost in the server for gaining time.
Always use password_hash($pass, PASSWORD_DEFAULT), is the best way.
If I have this PHP script for a login system:
$user = $_POST['user_name'];
$pass = md5($_POST['user_pass']);
require_once("connection_file.php");
$sql = "SELECT * FROM login_table WHERE user_n = :us AND user_p = :password";
$stmt = $conn->prepare($sql);
$stmt->bindValue(':us', $user, PDO::PARAM_STR);
$stmt->bindValue(':password', $pass, PDO::PARAM_STR);
$stmt->execute();
$result = $stmt->fetchAll();
if($result)
{
//echo $msg = "user exist";
if(session_status() == PHP_SESSION_NONE)
{
session_start();
foreach($result as $row)
{
$hash = password_hash($row['user_pass'], PASSWORD_BCRYPT);
if(password_verify($row['user_pass'], $hash))
{
$_SESSION['userid'] = $row['user_id'];
$_SESSION['role'] = $row['user_role'];
header("Location: homepage.php");
}
}
}
}
else
{
$msg = "Wrong credentials";
header("Location: login_page.php");
}
And as you see I am already saving my password in database as MD5 and I am using $pass = md5($_POST['user_pass']); to verify if the text input by the user is equal to MD5 hash.
Now my question is should I use the password_hash and password_verify as I am using in this script ? Or using MD5 would be enough ?
And my second question is can I save passwords in database using the hash string result or it is okay to use the md5 one?
Yes, you should migrate to the new API and never use MD5 for this purpose again, immediately.
If you're not using password_hash()/password_verify() and want to migrate your code to a more secure method, seamlessly:
Add a column to your user accounts table, called legacy_password (or equivalent).
Calculate the bcrypt hash of the existing MD5 hashes and store them in the database (setting legacy_password to TRUE).
Modify your authentication code to handle the legacy flag.
When a user attempts to login, first check if the legacy_password flag is set. If it is, first pre-hash their password with MD5, then use this prehashed value in place of their password. Afterwards, recalculate the bcrypt hash and store the new hash in the database, disabling the legacy_password flag in the process. A very loose example in PHP 7+ follows:
/**
* This is example code. Please feel free to use it for reference but don't just copy/paste it.
*
* #param string $username Unsafe user-supplied data: The username
* #param string $password Unsafe user-supplied data: The password
* #return int The primary key for that user account
* #throws InvalidUserCredentialsException
*/
public function authenticate(string $username, string $password): int
{
// Database lookup
$stmt = $this->db->prepare("SELECT userid, passwordhash, legacy_password FROM user_accounts WHERE username = ?");
$stmt->execute([$username]);
$stored = $stmt->fetch(PDO::FETCH_ASSOC);
if (!$stored) {
// No such user, throw an exception
throw new InvalidUserCredentialsException();
}
if ($stored['legacy_password']) {
// This is the legacy password upgrade code
if (password_verify(md5($password), $stored['passwordhash'])) {
$newhash = password_hash($password, PASSWORD_DEFAULT);
$stmt = $this->db->prepare("UPDATE user_accounts SET passwordhash = ?, legacy_password = FALSE WHERE userid = ?");
$stmt->execute([$newhash, $stored['userid']]);
// Return the user ID (integer)
return $stored['userid'];
}
} elseif (password_verify($password, $stored['passwordhash'])) {
// This is the general purpose upgrade code e.g. if a future version of PHP upgrades to Argon2
if (password_needs_rehash($stored['passwordhash'], PASSWORD_DEFAULT)) {
$newhash = password_hash($password, PASSWORD_DEFAULT);
$stmt = $this->db->prepare("UPDATE user_accounts SET passwordhash = ? WHERE userid = ?");
$stmt->execute([$newhash, $stored['userid']]);
}
// Return the user ID (integer)
return $stored['userid'];
}
// When all else fails, throw an exception
throw new InvalidUserCredentialsException();
}
Usage:
try {
$userid = $this->authenticate($username, $password);
// Update the session state
// Redirect to the post-authentication landing page
} catch (InvalidUserCredentialsException $e) {
// Log the failure
// Redirect to the login form
}
Proactively upgrading legacy hashes is a security win over an opportunistic strategy (rehashing when the user logs in, but leave the insecure hashes in the database for inactive users): With a proactive strategy, if your server gets compromised before everyone logs in again, their passwords are already using an acceptable algorithm (bcrypt, in the example code).
The above example code is also available in Bcrypt-SHA-384 flavor.
Also, this has nothing to do with encryption.
I have found this post helpful MySQL password() function to PHP but I am having trouble applying the solution offered there to my problem.
A password was stored in a Mysql using Password(). I want to adapt this script to compare the entered password with the one stored in the database, rather than use the 'crypt()' function.
public function authenticate($user,$pass) {
$mysqli = new mysqli(DBHOST,DBUSER,DBPASS,DB);
if ($mysqli->connect_errno) {
error_log("Cannot connect to MySQL: " . $mysqli->connect_error);
return false;
}
$safeUser = $mysqli->real_escape_string($user);
$incomingPassword = $mysqli->real_escape_string($pass);
$query = "SELECT * from users WHERE username ='{$safeUser}'";
if (!$result = $mysqli->query($query)) {
error_log("Cannot retrieve account for {$user}");
return false;
}
// Will be only one row, so no while() loop needed
$row = $result->fetch_assoc();
$dbPassword = $row['password'];
if (crypt($incomingPassword,$dbPassword) != $dbPassword) {
error_log("Passwords for {$user} don't match");
return false;
}
$this->id = $row['id'];
$this->firstName = $row['first_name'];
$this->lastName = $row['last_name'];
$this->username = $row['username'];
$this->email = $row['email'];
$this->dateJoin = $row['dateJoin'];
$this->school = $row['school'];
$this->level = $row['level'];
$this->isLoggedIn = true;
$this->_setSession();
return true;
} //end function authenticate
Is there an easy way to adapt this script? Do I just add
AND `password` = PASSWORD('{$incomingPassword}')
to my query? This seems a little clumsy.
Are you really sure the passwords where hashed with the MySql Password() function, because this function is not meant to be used in applications? It is not possible to store passwords safely and verify passwords in an SQL-query directly.
You really should use a slow hashing function like BCrypt, and salting is mandatory. That means, that you need a two step process, first get the stored password hash by username with an SQL-query, then extract the salt from the hash and do the verification.
The recommended way to hash passwords with PHP is the new function password_hash():
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
If you are interested in more in-depth information about this topic, you can have a look at my tutorial about safely storing passwords.
I've made encrypting of the password in my register script and they are stored in the database, and I have to use them to login, so I would want to use the unencrypted ones to login. I've read some of the threads in here but nothing is helping me. How can I add it in my login.php? The salt is also stored in the database.
This is my register.php script for encrypting
$hash = hash('sha256', $password1);
function createSalt()
{
$text = md5(uniqid(rand(), TRUE));
return substr($text, 0, 3);
}
$salt = createSalt();
$password = hash('sha256', $salt . $hash);
and this is my login.php with season
//Create query
$qry="SELECT * FROM member WHERE username='$username' AND password='$password'";
$result=mysql_query($qry);
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) > 0) {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['id'];
$_SESSION['SESS_FIRST_NAME'] = $member['username'];
$_SESSION['SESS_LAST_NAME'] = $member['password'];
session_write_close();
header("location: profile.php");
exit();
}
else {
//Login failed
//error message
}
else {
die("Query failed");
}
These examples are from php.net. Thanks to you, I also just learned about the new php hashing functions.
Read the php documentation to find out about the possibilities and best practices:
http://www.php.net/manual/en/function.password-hash.php
Save a password hash:
$options = [
'cost' => 11,
];
// Get the password from post
$passwordFromPost = $_POST['password'];
$hash = password_hash($passwordFromPost, PASSWORD_BCRYPT, $options);
// Now insert it (with login or whatever) into your database, use mysqli or pdo!
Get the password hash:
// Get the password from the database and compare it to a variable (for example post)
$passwordFromPost = $_POST['password'];
$hashedPasswordFromDB = ...;
if (password_verify($passwordFromPost, $hashedPasswordFromDB)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
According to php.net the Salt option has been deprecated as of PHP 7.0.0, so you should use the salt that is generated by default and is far more simpler
Example for store the password:
$hashPassword = password_hash("password", PASSWORD_BCRYPT);
Example to verify the password:
$passwordCorrect = password_verify("password", $hashPassword);
array hash_algos(void)
echo hash('sha384', 'Message to be hashed'.'salt');
Here is a link to reference http://php.net/manual/en/function.hash.php
You couldn't login because you did't get proper solt text at login time.
There are two options, first is define static salt, second is if you want create dynamic salt than you have to store the salt somewhere (means in database) with associate with user.
Than you concatenate user solt+password_hash string now with this you fire query with username in your database table.
I think #Flo254 chained $salt to $password1and stored them to $hashed variable. $hashed variable goes inside INSERT query with $salt.
You can't do that because you can not know the salt at a precise time. Below, a code who works in theory (not tested for the syntaxe)
<?php
$password1 = $_POST['password'];
$salt = 'hello_1m_#_SaLT';
$hashed = hash('sha256', $password1 . $salt);
?>
When you insert :
$qry="INSERT INTO member VALUES('$username', '$hashed')";
And for retrieving user :
$qry="SELECT * FROM member WHERE username='$username' AND password='$hashed'";
I have registered a new user and saved the username, password & salt in the DB using the following hashing method:
if(isset($_POST['register']))
{
$password = $_POST['password']
function sanitize($data)
{
$data=trim($data);
$data=htmlspecialchars($data);
$data=mysql_real_escape_string($data);
return $data;
}
$password = sanitize($password);
function createSalt()
{
$salt = bin2hex(mcrypt_create_iv(32,MYCRYPT_DEV_URANDOM));
$hash = hash("sha256", $salt);
$final = $salt.$hash;
return $final;
}
$hashedPassword = hash("sha256", $password);
$salt = createSalt();
$hashedPassword = hash("sha256", $hashedPassword.$salt);
$query = sprintf("INSERT INTO users(username, password, salt) VALUES('%s','%s','%s')",$username, $hashedPassword, $salt);
}
And Later while trying the login.php, I am entering the same password which I saved during registration and using the below code to check if the entered password is the same as the one in the DB
if(isset($_POST['login']]))
{
$password = $_POST['password']
function sanitize($data)
{
$data=trim($data);
$data=htmlspecialchars($data);
$data=mysql_real_escape_string($data);
return $data;
}
function validateUser()
{
session_regenerate_id (); //this is a security measure
$_SESSION['valid'] = 1;
$_SESSION['username'] = $username;
}
$password = sanitize($password);
$query = sprintf("SELECT * FROM users WHERE username = '%s'",$username);
$sql = mysql_query($query);
$count = mysql_num_rows($sql);
$row = mysql_fetch_array($sql);
if($count<1)
{
echo $count;
unset($_POST['login']);
header("location:login.php");
exit;
}
$hash = hash("sha256", $password);
$salt = $row['salt'];
$hash = hash("sha256",$hash.$salt);
echo $hash."<br />".$row['password']."<br /><br />";
if($hash != $row['password'])
{
unset($_POST['login']);
header("location:login.php");
exit;
}
else
{
validateUser();
unset($_POST['login']);
header("location:index.php");
exit;
}
}
These passwords are not getting matched.
Kindly let me know what's wrong in this code.
There is nothing wrong with your code.
the salt value stored in the database is truncated because the varchar value is low increase the varchar value of your salt column to 200-300 something and than try this.. it will run fine.
I facepalmed when I found out this was screwing the result..
Dins
Actually i didn't see why this should not work, the code you have shown, should produce the same value, maybe you could check, whether the salt you read from the database is really the same as you wrote to the database.
Nevertheless i would not engourage to go further on this route, there are quite a lot of problems here.
First of all, SHA-256 is not a good choice to hash passwords, instead use a slow key-derivation function like BCrypt.
You should not escape input data without need, and if you need to escape them, you should do it only for the specific target system (htmlspecialchars and mysql_real_escape_string make no sense if you are going to calculate a hash anyway).
To create a salt, you use the random source, that is good. Using a hash afterwards creating the salt, will in no way make the salt more random.
There is no need to have two separate fields for password and salt in the database. Php's crypt() function will create a hash value, that already contains the salt.
I would invite you to read this tutorial about hashing passwords, you will find a PHP example too, and i would recommend to use the phpass library.