2

I have an encrypted password in the database which i am trying to retreive:

Model:

function get_user($usr, $pwd)
     {
         $encriptKey = 'super-secret-key';
         $sql = "
           select * from user
           where username = '" . $usr . "' and
           password = '". $this->encrypt->decode($pwd,$encriptKey) . "'
         ";
         $query = $this->db->query($sql);
         return $query->num_rows();
     }

and in the controller i have:

$username = $this->input->post("txt_username");
$password = $this->input->post('txt_password');     

$usr_result = $this->account_model->get_user($username, $password);

if ($usr_result > 0) //active user record is present
    {
        //login
    }

Why is the password still invalid?

Sanzeeb Aryal
  • 4,358
  • 3
  • 20
  • 43
  • Have you verified that the ouput of `$this->encrypt->decode($pwd,$encriptKey)` actually corresponds to one password stored in the database? – maxhb Jan 11 '16 at 12:53
  • Do you mean ``$usr_result > 0 == false`` ? – Jérémy Halin Jan 11 '16 at 12:53
  • 1
    I think that you would usually compare an encrypted stored value with the same encryption over what the user filled in. You seem to be decoding something that came as a parameter. And also, in fact, usually people `hash` passwords, they don't `encrypt` them. – mishu Jan 11 '16 at 12:57
  • @mishu if you could please answer. your comment seems to be helpful. – Sanzeeb Aryal Jan 11 '16 at 13:14
  • 4
    You should never encrypt your user's passwords. You need to use hashing instead with some strong ones being PBKDF2, bcrypt, scrypt and Argon2. Since hash functions are one-way function, you won't be able to "decrypt" the hashes. In order to authenticate your user, you can run the password through the hash function again in order to compare with the hash that is stored in the database. See more: [How to securely hash passwords?](http://security.stackexchange.com/q/211/45523) – Artjom B. Jan 11 '16 at 13:14
  • 5
    Please be aware that your code is **very** vulnerable towards SQL injection. I could log in with the username `admin' --` and be logged in as "admin" without knowing the password. Use prepared statements and bind your variables (your DB abstraction layer probably already has this functionality). [Please read up on CodeIgniter query escaping/binding to prevent this](https://ellislab.com/codeigniter/user-guide/database/queries.html). – h2ooooooo Jan 11 '16 at 13:32

2 Answers2

2

Since you asked me I am submitting this as an answer also.

The first thing to notice would be that generally if you were to store a secret value in the database and at a later time check if something matches it the way to do it would be to store the encryption and compare a plain value encrypted the same way with what you have stored. I am saying this because it seems that you are trying to decode something received as a parameter and compare it to what you have in your table.

In addition, since this is about a password, in general it is a better and safer approach to hash the values, not to encrypt them. You can also make it so that the exact same password, won't be hashed in the same way twice, and this would add another layer of security.

I don't think it's a good idea for me to copy&paste good ways to hash passwords in PHP, so I'll just reference some other questions you can find on this page in the "Related" sidebar:

Community
  • 1
  • 1
mishu
  • 5,347
  • 1
  • 21
  • 39
0

Try like this

In Controller

$username = $this->input->post("txt_username");
$password = $this->input->post('txt_password');     

$usr_result = $this->account_model->get_user($username, $password);

if ($usr_result == FALSE) 
{
    echo "Invalid User";
}
else{
    echo "Valid User";
}

In Model

function get_user($usr, $pwd)
{
    $encriptKey = 'super-secret-key';
    $password = $this->encrypt->decode($pwd,$encriptKey);
    $sql = "SELECT * FROM user WHERE username = '$usr' AND  password = '$password' ";
    $query = $this->db->query($sql);

    $count = count($query);

    if (empty($count) || $count > 1) {
        return FALSE;
    }
    else{
        return TRUE;
    }

}
Abdulla Nilam
  • 36,589
  • 17
  • 64
  • 85