0

I'm having trouble writing a login script that works with my registration script.

register.php

$username = $_POST['signupEmail'];
$password = $_POST['signupPassword'];
$gender = $_POST['signupGender'];
$country = $_POST['signupCountry'];

$salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE));
$password = hash('sha512', $password . $salt);
$query = mysqli_query($con, "INSERT INTO sh_users (username, password, salt, gender, country) Values ('" . $username . "' , '" . $password . "' , '" . $salt . "' , '" . $gender . "' , '" . $country . "')") or die(mysqli_error($con));

This works no problem - all values in the database.

login.php

$query = "SELECT *
        FROM sh_users
        WHERE username = '$username';";

$result = mysqli_query($con, $query);

$userData = mysqli_fetch_array($result, MYSQL_ASSOC);
$salt = $userData['salt'];

$hash = hash('sha512', $password . $salt);

if ($hash != $userData['password'])
{
    echo "Incorrect email or password";
}
else
{
    echo "success";
}

If I echo echo $password then it's the same as what I input (and yes, I'm using the correct password). Likewise, $salt matches what's in the database. However, $hash gives a rogue result despite the fact that I'm using the same hashing method in both scripts.

Where am I going wrong?

UPDATE

The problem is that $_POST['signupPassword'] is returning null when I var_dump() it at the top of register.php.

The strange thing is that dumping $_POST['signupPassword2'] comes out fine, but I'd like to understand the difference between the two.

Here's my form (which I thought I'd posted the first time, apologies).

<form id="signup-form" action="" method="POST">
    <input name="signupEmail" type="email" class="form-control" id="signupEmail" placeholder="Email address">
    <input name="signupPassword" type="password" class="form-control" id="signupPassword" placeholder="Password">
    <input name="signupPassword2" type="password" class="form-control" id="signupPassword2" placeholder="Password">
    <select name="signupCountry" id="signupCountry" class="selectpicker">
        <option value="0">Country</option>
        <option value="United States">United States</option>
        <option value="United Kingdom">United Kingdom</option>
        <option>Canada</option>
    </select>
    <select name="signupGender" id="signupGender" class="selectpicker">
        <option value="0">Gender</option>
        <option value="f">Female</option>
        <option value="m">Male</option>
    </select>
    <button id="signup" class="btn btn-success btn-block signup" type="submit">Sign up</button>
</form>
Sebastian
  • 3,548
  • 18
  • 60
  • 95
  • 1
    What would you recommend I do instead? – Sebastian Apr 18 '14 at 18:46
  • 2
    @Sebastian please ignore kingkero's comment. He's, wrong. What you should do is dump all the variables that you're using with var_dump(). Do that for $salt and $password and see if they're reaaaally what they're supposed to be. Also make sure that your database field does not truncate your password or salt and that the values in the database are actually what they should be. Even better, dump the variables before inserting them to the db and compare them to the ones you fetch from db in login.php. Something tells me they won't match. – Marius Apr 18 '14 at 18:50
  • A single round of any hash is no longer considered a secure method of storing passwords. See previous questions http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php and http://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely for information on standard ways to securely store passwords in PHP. – nobody Apr 18 '14 at 19:54
  • Thanks for that, @AndrewMedico, I'll take a look. Just done some `var_dump()`ing and you were right, @Marius. It would appear my password field isn't passing from my form - see my update. – Sebastian Apr 18 '14 at 19:59

1 Answers1

0

register.php

$username = $_POST['signupEmail'];
$password = $_POST['signupPassword'];
$gender = $_POST['signupGender'];
$country = $_POST['signupCountry'];

$salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE));
$password_hashed = hash('sha512', $password . $salt); //i changed var name, because, name var name? this gives a conflit if vars are equal
$query = mysqli_query($con, "INSERT INTO sh_users (username, password, salt, gender, country) Values ('" . $username . "' , '" . $password_hashed . "' , '" . $salt . "' , '" . $gender . "' , '" . $country . "')") or die(mysqli_error($con));

login.php

$query = "SELECT *
        FROM sh_users
        WHERE username = '$username';";

$result = mysqli_query($con, $query);
$row_result = mysqli_fetch_assoc($result); //this will work, not the code that you had, if mysqli_fetch_assoc is not correctly write, sorry, but i think that is it
$salt = $row_result['salt'];

$hash = hash('sha512', $password . $salt);

if ($hash != $userData['password'])
{
    echo "Incorrect email or password";
}
else
{
    echo "success";
}

if its mysqli, why you put MYSQL_ASSOC ? use the above code for the login for the form:

<form id="signup-form" action="" method="POST">
    <input name="signupEmail" type="email" class="form-control" id="signupEmail" placeholder="Email address">
    <input name="signupPassword" type="password" class="form-control" id="signupPassword" placeholder="Password">
    <select name="signupCountry" id="signupCountry" class="selectpicker">
        <option value="0">Country</option>
        <option value="United States">United States</option>
        <option value="United Kingdom">United Kingdom</option>
        <option>Canada</option>
    </select>
    <select name="signupGender" id="signupGender" class="selectpicker">
        <option value="0">Gender</option>
        <option value="f">Female</option>
        <option value="m">Male</option>
    </select>
    <button id="signup" class="btn btn-success btn-block signup" type="submit">Sign up</button>
</form>

its notting wrong whit the form, but don't use var_dump(), i had several errors with that vars.

SkullWritter
  • 11
  • 4