-1

The following code passes on the username check, but fails on the password.

As you can see, the hashes are echoed, but for some reason, they output e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, which is the sha256sum of /dev/null. As the password does not seem to echo at all, i can only assume it cannot get the POST, but why?

login

<form action="dologin" method="post">
Username: <input type="text" name="username">
Password: <input type="password" name="password">
<input type="submit">
</form>

dologin

    if ( $_POST[username] == $actualusername ) {
        // Hash the password
        $hashedpassword = hash('sha256', $_POST[password]);
        echo $_POST[password];
        echo $hashedpassword;
        if ( $hashedpassword == $actualpassword ) {
            echo '<h2>Logged in</h2>';
        } else {
        echo '<h2>Incorrect password</h2>';
        echo $hashedpassword;
        }
    } else {
        echo '<h2>Incorrect username</h2>';
    }
Community
  • 1
  • 1
Lewis Goddard
  • 243
  • 4
  • 20
  • 1
    you should not be using the SHA* family for hashing passwords. see [this answer](http://stackoverflow.com/a/14922395/1698924) and [Jeff's Post on Passwords](http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html) – Amelia Feb 17 '13 at 15:27
  • 2
    Please do `$_POST['password']` instead of `[password]`, as well. – Gargron Feb 17 '13 at 15:37
  • @Gargron [Why?](http://stackoverflow.com/questions/14922840/what-is-the-difference-in-using-quotes-apostrophes-or-neither-in-post-variabl) – Lewis Goddard Feb 17 '13 at 15:43
  • @LewisGoddard - Because it can cause a very nasty and hard to find bug, should another developer or an external library define a constant named `password` somewhere? – martinstoeckli Feb 17 '13 at 21:45

1 Answers1

2

Does closing the input tags solve you problem? Also, you can use 

isset($_POST["blabla"])

To test if the value is set in $_POST.

Amelia
  • 2,967
  • 2
  • 24
  • 39
Thibault D.
  • 10,041
  • 3
  • 25
  • 56
  • Yes it does! I thought HTML5 meant you didn't need to close things like link, meta, img and input items? What a peculiar quirk. – Lewis Goddard Feb 17 '13 at 15:30