Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Regular Coder
    Join Date
    Jun 2014
    Posts
    122
    Thanks
    16
    Thanked 0 Times in 0 Posts

    Question Evaluate login problem

    I have a problem evaluation whether the user is the owner of the page, this is my code
    PHP Code:
    // User Verify function
    function evalLoggedUser($conx,$id,$u,$p){
    $sql "SELECT ip FROM users WHERE Id='$id' AND Username='$u' AND Password='$p' LIMIT 1";
    echo 
    $postedSaltedPassword;
        
    $query mysqli_query($conx$sql);
        
    $numrows mysqli_num_rows($query);
    if(
    $numrows 0){
    return 
    true;
        }

    returns true to user_okay variable which later used to see if he is the owner.
    the problem is with the Password='$p', it doesnt match, after echoing both the password and the $p variable i noticed they do not match because the '$p' shows only the password without the $ and / signs which are included in my password encryption (i use phpass)
    how can i fix it and make it match?

  • #2
    Senior Coder
    Join Date
    Apr 2010
    Posts
    1,559
    Thanks
    76
    Thanked 105 Times in 104 Posts
    Hmm, if you are using a encrpyted hash code such as MD5 or SHA1, you may want to make sure it's checking for that.
    So if your password is "mypass" and that is what is showing with one and the other is showing something like "nfh78373fg7gf2g" then one isn't being converted.
    If both are encrypted both totally different, then you are altering the encryption from creating the account to logging in.

    That may not be the case here, but it's what I got.
    Been a sign maker for 7 years. My business:
    American Made Signs

  • #3
    Regular Coder
    Join Date
    Jun 2014
    Posts
    122
    Thanks
    16
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by myfayt View Post
    Hmm, if you are using a encrpyted hash code such as MD5 or SHA1, you may want to make sure it's checking for that.
    So if your password is "mypass" and that is what is showing with one and the other is showing something like "nfh78373fg7gf2g" then one isn't being converted.
    If both are encrypted both totally different, then you are altering the encryption from creating the account to logging in.

    That may not be the case here, but it's what I got.
    hmmm, i said im using phpass in the details.. md5 and sha1 are incredibly not safe. the problem is when im echoing it, it comes out like this 2ABDSAOLJDS421P3I921D2J89221839021 but in the database it is shown like this: $2A$BDSAOLJDS42/1P3I921D2J89221839021
    it has special characters which the check doesnt include

  • #4
    Senior Coder
    Join Date
    Apr 2010
    Posts
    1,559
    Thanks
    76
    Thanked 105 Times in 104 Posts
    It was just an example. You'll need to post more of your coding, such as the $postedSaltedPassword.
    Been a sign maker for 7 years. My business:
    American Made Signs

  • #5
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,151
    Thanks
    2
    Thanked 335 Times in 327 Posts
    The correct method to check if the password entered for login matches the original password that was entered when registering is to retrieve the hashed value from your database table based on the username and use the phpass ->CheckPassword() method. You cannot perform this password/hash check in the query (without writing a database stored procedure that performs the same hashing algorithm.)

    Edit: That you are echoing the hashed password value at some point and it doesn't contain the $ and / characters implies you are somehow filtering the value. After registration, the only place the hashed value should exist is in your database table and in the the authentication code that calls the phpass ->CheckPassword() method.
    Last edited by CFMaBiSmAd; 06-22-2014 at 07:17 PM.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • Users who have thanked CFMaBiSmAd for this post:

    sirbobohobo (06-22-2014)

  • #6
    Regular Coder
    Join Date
    Jun 2014
    Posts
    122
    Thanks
    16
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    The correct method to check if the password entered for login matches the original password that was entered when registering is to retrieve the hashed value from your database table based on the username and use the phpass ->CheckPassword() method. You cannot perform this password/hash check in the query (without writing a database stored procedure that performs the same hashing algorithm.)

    Edit: That you are echoing the hashed password value at some point and it doesn't contain the $ and / characters implies you are somehow filtering the value. After registration, the only place the hashed value should exist is in your database table and in the the authentication code that calls the phpass ->CheckPassword() method.
    this is my login and register code. Register:
    PHP Code:
    if (isset($_POST["u"])) {
       include_once(
    "db_conx.php");
       
       
    $u preg_replace('#[^a-z0-9]#i'''$_POST['u']);
       
    $e mysqli_real_escape_string($db_conx$_POST['e']);
       
    $p $_POST['p'];
       
    $ip preg_replace('#[^0-9.]#'''getenv('REMOTE_ADDR'));
       
    $sql "SELECT * FROM users WHERE Email = '$e' LIMIT 1";
       
    $query mysqli_query($db_conx$sql);
       
    $e_check mysqli_num_rows($query);
       
    $sql "SELECT * FROM users WHERE Username = '$u' LIMIT 1";
       
    $query mysqli_query($db_conx$sql);
       
    $u_check mysqli_num_rows($query);
       if(
    $u == "" || $e == "" || $p == ""){
        echo 
    "You have to enter all the fields";
        exit();
       }else if (
    $e_check 0) {
           echo 
    "The email adress is already in use";
           exit();
         }else if (
    $u_check 0){
          echo 
    "The Username you've entered is already in use";
          exit();
       }else if (
    strlen($u) < || strlen($u) > 100){
        echo 
    "Username has to be between 3 - 100 characters";
        exit();
       }else if (
    is_numeric($u[0])) {
           echo 
    "A Username cannot begin with a number!";
           exit();
       } else {
        require(
    "PasswordHash.php");
        
    $salt "ipDaloveyBuohgGTZwcodeRJ1avofZ7HbZjzJbanDS8gtoninjaYj48CW";
        
    $password $salt $_POST['p'];
        
    $hasher = new PasswordHash(8,false);
        
    $password $hasher->HashPassword($password);
        
    $sql "INSERT INTO users(Username, Email, Password, ip, Signup, Lastlogin, Notescheck) 
        VALUES ('$u', '$e', '$password', '$ip', now(), now(), now())"
    ;
        
    $query mysqli_query($db_conx$sql);
        
    $uid mysqli_insert_Id($db_conx);
        
    $sql "INSERT INTO useroptions (id, username, background) VALUES('$uid', '$u', 'original')";
        
    $query mysqli_query($db_conx$sql);
        if (!
    file_exists("user/$u")) {
          
    mkdir("user/$u"0755); 
    and this is the Login

    PHP Code:
    if (isset($_POST["e"])) {
    include_once(
    "db_conx.php");
    $e mysqli_real_escape_string($db_conx$_POST['e']);
    $ip preg_replace('#[^0-9.]#'''getenv('REMOTE_ADDR'));
    require(
    "PasswordHash.php");
    $salt "ipDaloveyBuohgGTZwcodeRJ1avofZ7HbZjzJbanDS8gtoninjaYj48CW";
    $p $_POST['p'];
    $postedSaltedPassword $salt $p;  
    $hasher = new PasswordHash(8,false);

    if (
    $p == "" || $e == ""){
      echo 
    "login_failed";
      exit();

      }else{
        
    $sql "SELECT Id, Username, Password FROM users WHERE Email = '$e' LIMIT 1";
        
    $query mysqli_query($db_conx$sql);
        
    $row mysqli_fetch_row($query);
        
    $db_id $row[0];
        
    $db_username $row[1];
        
    $db_pass_str $row[2];
        
    $check $hasher->CheckPassword($postedSaltedPassword$db_pass_str);  
        if(!
    $check){
          
          echo 
    "login_failed";
          exit();
          
        }else{
            
    $_SESSION['userid'] = $db_id;
    $_SESSION['username'] = $db_username;
    $_SESSION['pass'] = $db_pass_str;
    setcookie("Id"$db_idstrtotime'+30 days' ), "/"""""TRUE);
    setcookie("Username"$db_usernamestrtotime'+30 days' ), "/"""""TRUE);
        
    setcookie("Pass"$db_pass_strstrtotime'+30 days' ), "/"""""TRUE); 
    // UPDATE THEIR "IP" AND "LASTLOGIN" FIELDS
    $sql "UPDATE users SET ip='$ip', Lastlogin=now() WHERE Username='$db_username' LIMIT 1";
                
    $query mysqli_query($db_conx$sql);
    echo 
    $db_username;
       exit();
    }
    }
    exit();
      } 
    the code i posted jsut helps me to see if the user_okay is true. maybe this will help. the code:
    PHP Code:
    $user_ok false;
    $log_id "";
    $log_username "";
    $log_password "";

    // User Verify function
    function evalLoggedUser($conx,$id,$u,$p){
    $sql "SELECT ip FROM users WHERE Id='$id' AND Username='$u' AND Password='$p' LIMIT 1";
    echo 
    $postedSaltedPassword;
        
    $query mysqli_query($conx$sql);
        
    $numrows mysqli_num_rows($query);
    if(
    $numrows 0){
    return 
    true;
        }
    }
    if(isset(
    $_SESSION["userid"]) && isset($_SESSION["username"]) && isset($_SESSION["pass"])) {
    $log_id preg_replace('#[^0-9]#'''$_SESSION['userid']);
    $log_username mysqli_real_escape_string($db_conx$_SESSION['username']);
    $log_password preg_replace('#[^a-z0-9]#i'''$_SESSION['pass']);
    // Verify the user
    $user_ok evalLoggedUser($db_conx,$log_id,$log_username,$log_password);
    } else if(isset(
    $_COOKIE["Id"]) && isset($_COOKIE["Username"]) && isset($_COOKIE["Pass"])){
    $_SESSION['userid'] = preg_replace('#[^0-9]#'''$_COOKIE['Id']);
        
    $_SESSION['username'] = mysqli_real_escape_string($db_conx$_COOKIE['Username']);
        
    $_SESSION['pass'] = preg_replace('#[^a-z0-9]#i'''$_COOKIE['Pass']);
    $log_id $_SESSION['userid'];
    $log_username $_SESSION['username'];
    $log_password $_SESSION['pass'];
    // Verify the user
    $user_ok evalLoggedUser($db_conx,$log_id,$log_username,$log_password);
    if(
    $user_ok == true){
    // Update their lastlogin datetime field
    $sql "UPDATE users SET Lastlogin=now() WHERE Username='$log_username' LIMIT 1";
            
    $query mysqli_query($db_conx$sql); 

  • #7
    Regular Coder
    Join Date
    Jun 2014
    Posts
    122
    Thanks
    16
    Thanked 0 Times in 0 Posts
    Posting this made me understand how bad i am at programming... that preg_replace, didn't see it, got a lot of pages and code and i got blind....
    CFMaBiSmAd thanked, you made me realize what i did wrong... What a dumbass i am Thanks everyone for the help.

  • #8
    New Coder
    Join Date
    Feb 2014
    Location
    USA
    Posts
    15
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks for given this information.. I have also same issue so thanks given this suggestion..


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •