0

I have the following code which is correct and working fine,it creates a salt value when entered into the MySQL database..

The issue I am facing is when trying to login with the while using the salted value, something is missing from my code (2nd bit of code on this post is the login which) the one causing issues.

$result = $conn->prepare("INSERT INTO members (name, username, email, salt, password, age, gender, gender_of_dogs) VALUES (:name, :username, :email, :salt, :password, :age, :gender, :gender_of_dogs)");
$result->bindParam(':name', $value1);
$result->bindParam(':username', $value2);
$result->bindParam(':email', $value3);
$result->bindParam(':salt', $salt);
$result->bindParam(':password', $hashedPassword);
$result->bindParam(':age', $value5);
$result->bindParam(':gender', $value6);
$result->bindParam(':gender_of_dogs', $value7);

$value1 = $_POST['name'];
$value2 = $_POST['username'];
$value3 = $_POST['email'];

$salt = uniqid('', true);

$value4 = $_POST['password'];
$value5 = $_POST['age'];
$value6 = $_POST['gender'];
$value7 = implode(',', $_POST['gender_of_dogs']);

$hashedPassword = md5($salt.$value4);
$result->execute();

echo "<h2>Thank you for registering, <br> You will now be redirected to the homepage...</h2>";
header( "refresh:5; url=../index.php" );

Below is the code when trying to login, it will not let me login as it is not getting the unique salt value in the MySQL database.
( At least I think that is the issue. )

include('../db_connect.inc');

$username = $_POST['username'];
$password = $_POST['password'];
$salt = $_POST['salt'];
$hashedPassword = md5($salt.$password);

$query = $conn->prepare("Select * from dog_parks.members where username = :username_login and password = :password_login ");
$query->bindParam(':username_login', $username);
$query->bindParam(':password_login', $hashedPassword);
$query->execute();
$count = $query->rowCount();
$row = $query->fetch();

if ($count > 0) {
    session_start();
    $_SESSION['id'] = $row['username'];

    header('location:home.php');
}

Error message received
Error message received

Andrew
  • 1,858
  • 13
  • 15
  • 3
    Please dont __roll your own__ password hashing. PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them, I might want to use your site one day And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) – RiggsFolly May 19 '16 at 14:51
  • 1
    And dont POST your salt around, thats like dropping your pants in the middle of the street!!! – RiggsFolly May 19 '16 at 14:52
  • Based on the error `$_POST['salt']` isn't set, check the name of the input field. – chris85 May 19 '16 at 14:53
  • 1
    Also select from the database using just the username, and then compare the password from the database and the one the user entered using `password_verify()` Its really simple if you use the tools provided – RiggsFolly May 19 '16 at 14:55
  • Your image of text isn't very helpful. It can't be copied into an editor, and it doesn't index very well, making other users with the same problem less likely to find the answer here. Please [edit] your post to incorporate the relevant text directly (preferably using copy+paste to avoid transcription errors). – Toby Speight May 19 '16 at 15:14
  • 1
    100% agree with @RiggsFolly here. You shouild not be rolling your own password encryption implementation unless you absolutely know exactly what you are doing, which it is clear from your treating the salt like user-provided content that you do not. – Mike Brant May 19 '16 at 15:34
  • Where did you learn/read/get the idea to use MD5 to hash passwords? Im not being a smartass (genuinly curious) so sorry if it comes off the wrong way. If its some current book/blog/tutorial they should be told to update their stuff – JimL May 19 '16 at 16:06

1 Answers1

0

$query->bindParam(':username_login', $username); is bad.

It should be changed to this: 

(':username', $value2);

and add in the else case

devlin carnate
  • 8,309
  • 7
  • 48
  • 82
John
  • 1