0

Basically I am having issues with hashing and getting the password verified, and I was hoping someone could help me out by proof reading some of the code.

Below is the registration (php code):

include '../includes/connection.php'; 
$userID = $_POST['userID'];
$userName = $_POST['userName'];
$Pass = $_POST['password'];
$encrypted_password = password_hash($Pass, PASSWORD_DEFAULT);
if(!empty($userName) && !empty($Pass) && !empty($userID)){
    $records = "SELECT * FROM Admins WHERE ID='$userID' OR Username='$userName' OR Password='$encrypted_password'";
    $results = mysqli_query($connect,$records);
    if ($results->num_rows == 1){
        $message = "You have already requested an account.";
        echo "<script type='text/javascript'>alert('$message');</script>";  
    }else{
        $query = "INSERT INTO Admins (`ID`,`Username`,`Password`,`AdminLevel`) VALUES ('$userID','$userName','$encrypted_password','0')";
        $run = mysqli_query($connect,$query);
        $message = "Your request has been submitted.";
        echo "<script type='text/javascript'>alert('$message');</script>";
    }
}

Below is the login (php code)

if(!empty($userName) && !empty($Pass)){

    $sql = "SELECT * FROM Admins WHERE Username='$userName'";
    $sqlr = mysqli_query($connect,$sql);
    $sqlrow = $sqlr->fetch_assoc();
    $dbPass = $sqlrow['Password'];
    $hash = password_verify($Pass, $dbPass);

    if ($hash == 0){
        die("There was no password found matching what you have entered.");
    }else{
        $records = "SELECT * FROM Admins WHERE Username='$userName' AND Password='$hash'";
        $results = mysqli_query($connect,$records);
        if ($results->num_rows == 1){
            $row = $results->fetch_assoc();
            $_SESSION['user_id'] = $row['ID'];
            $_SESSION['admin_level'] = $row['AdminLevel'];
            $_SESSION['user_name'] = $row['Username'];
            $easyName = $_SESSION['user_name'];
            $recordsS = "UPDATE `Admins` SET Status='1' WHERE Username='$userName'";
            $resultsS = mysqli_query($connect,$recordsS);
            header("Location: index.php");
        }else{
            die("Sorry... you have entered incorrect login information.");
        }
    }
}

This is the database heading: https://gyazo.com/69380c5cd0df0259d31799b71f33ce47

When I test this on the website and I login with correct information, "Sorry... you have entered incorrect login information." is echoed.

If I login with false information, "There was no password found matching what you have entered." is echoed.

Why can it detect the password, but not properly execute the else statement in the login section?

Austin
  • 41
  • 6
  • What is `$hash` returning? Your `$records` query is failing because you are selecting `Password='$hash'"` where `$hash` is either true, or false. Probably should be `Password='$dbPass'" – Jay Blanchard Jul 22 '16 at 18:21
  • Please pos the code for `password_hash` and `password_verify`.. – Hackerman Jul 22 '16 at 18:21
  • 2
    Those are PHP functions @Hackerman – Jay Blanchard Jul 22 '16 at 18:22
  • I did die('hash'); and it returned $hash – Austin Jul 22 '16 at 18:22
  • It returned the actual hash? Where did you do the `die()`? Just add `echo $hash; right after you set it. – Jay Blanchard Jul 22 '16 at 18:28
  • If an answer solved your problem, consider accepting the answer. Here's how http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. *Welcome to Stack!* – Jay Blanchard Jul 22 '16 at 18:42
  • 1
    I never used those @JayBlanchard...my mistake :) – Hackerman Jul 22 '16 at 18:57

2 Answers2

3

Your $records query is failing because you are selecting Password='$hash'" where $hash is either true, or false. The query should have this condition: Password='$dbPass'"

Just as a gut check: The important thing to note is the password field in the database should be huge. The password_hash() can generate some very lengthy text (the current default is 60 characters), so making the field larger will allow for the length needed. Secondly the PHP team is adding more algorithms to the method which means the hash can and will grow. We also do not want to limit our user's ability to use the password or passphrase of their choice. It's best to leave room for the changes.

One more thing: Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe! Don't believe it?

Community
  • 1
  • 1
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
0

You have a small mistake in the Query:

$records = "SELECT * FROM Admins WHERE Username='$userName' AND Password='$hash'";

You are matching password against a boolean by mistake. It should be:

$records = "SELECT * FROM Admins WHERE Username='$userName' AND Password='$dbPass'";

You need to hash the $Pass variable for this match. The function password_verify returns a boolean after making the match but the actual hash is done inside the method.

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Jeremy Morgan
  • 3,314
  • 23
  • 23