1

Following this tutorial: http://www.gregboggs.com/php-blowfish-random-salted-passwords/ i've been trying to implement encryption for passwords in my registration form. At the moment the code I have runs without any errors but no data is being added to the database. i know the SQL statement is correct as it was working before I started implementing the encryption features.

Here is what I have so far:

<?php

    CRYPT_BLOWFISH or die ('No Blowfish found.');

    include_once "config.php";
    include_once "lib\password.php";

    //This string tells crypt to use blowfish for 5 rounds.
    $Blowfish_Pre = '$2a$05$';
    $Blowfish_End = '$';

    if($_POST["username"] && $_POST["email"] && $_POST["password1"] && $_POST["password2"]) {

        if($_POST["password1"] = $_POST["password2"]) {

            $password1 = mysql_real_escape_string ($_POST["password1"]);

            // Blowfish accepts these characters for salts.
            $Allowed_Chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
            $Chars_Len = 63;

            // 18 would be secure as well.
            $Salt_Length = 21;
            $salt = "";

            //$mysql_date = date( 'Y-m-d' );            

            for($i=0; $i<$Salt_Length; $i++)
            {
                $salt .= $Allowed_Chars[mt_rand(0,$Chars_Len)];
            }
            $bcrypt_salt = $Blowfish_Pre . $salt . $Blowfish_End;

            $hashed_password = crypt($password1, $bcrypt_salt);

            /* create a prepared statement */
            $stmt = mysqli_prepare($link, "INSERT INTO `users` (`username`, `email`, `password`, `salt`) VALUES (?, ?, ?, ?)");

            /* bind parameters for markers */
            mysqli_stmt_bind_param($stmt, "ssss", $_POST["username"], $_POST["email"], $hashed_password, $salt);

            /* execute query */
            mysqli_stmt_execute($stmt);

            /* close statement */
            mysqli_stmt_close($stmt);

            print "<h1>You have registered sucessfully!</h1>";

            print "<a href='main_login.html'>Log in</a>";

        }
        else print "Your passwords do not match, try again!";
    }
    else print "Please fill out the entire form!";

/* close connection */
mysqli_close($link);

?>

PHP VERSION NOTE: As WAMP server only currently supports php5.4.12 natively, I am using this compatibility library: https://github.com/ircmaxell/password_compat.

BUMP: I've been going over this for a while now and I still can't find why the data isn't being inserted. I tested the SQL statement again. I echoed $password1, $bcrypt_salt, $hashed_password through-out the code to make sure they were working right and those variables all contain the correct info. Any ideas?

Corey
  • 327
  • 5
  • 15
  • `if($_POST["password1"] = $_POST["password2"])` shouldn't this be like `if($_POST["password1"] === $_POST["password2"])` ? the first one will be true for ever – peaceman Nov 21 '13 at 01:08
  • Hi, i was aware of this. It must have been an oversight on my part, Thanks, for spotting this! – Corey Nov 21 '13 at 01:11
  • 1
    Have you checked the values of `$bcrypt_salt` and `$hashed_password` before the statement preparation? And what is about the result values of those `mysqli_*` functions? Seems to be just a basic debugging task. – peaceman Nov 21 '13 at 01:16
  • I echoed out $password1 before its hashed and salted. It returned with the correct value from my register form. Then I echoed the $hashed_password and the $salt just before the prepared statement and both returned correct values (a random string of characters, that changes each time the page is refreshed). – Corey Nov 21 '13 at 01:29
  • Look at the "password hashing" section of [this answer](http://stackoverflow.com/questions/10916284/how-to-encrypt-decrypt-data-in-php/10945097#10945097); basically you shouldn't use `$2a$` nor `mt_rand()` and use the password hashing api wherever possible. – Ja͢ck Nov 21 '13 at 03:00
  • Ok ill have a look. I'd still like to know why my code wasn't working. – Corey Nov 21 '13 at 03:03
  • The dangling `$` at the end of your salt is definitely wrong for one :) – Ja͢ck Nov 21 '13 at 03:19

1 Answers1

1

If you just want to compare $password1 and $password2, then you just check:

$hash1 = password_hash("$password1", PASSWORD_BCRYPT, $options)."\n";
$hash2 = password_hash("$password2", PASSWORD_BCRYPT, $options)."\n";
if ($hash1 == $hash2) {
    echo 'matched';
}

But that won't be very useful, you want to get $password1 from user and $hash2 from store and then:

if (password_verify($password1, $hash2)) {
    echo 'matched';
}
imel96
  • 1,385
  • 11
  • 18