Password Validation in Codeigniter

Question

Hi all I have this issue when I validate log in in codeigniter that seems it does not check the required password in my database.The required password in my database is hash using this

$password_hash = password_hash($password, PASSWORD_BCRYPT);

I'm also using this hash to test of it's ability and security also.

the code in my log in view is:

<div class="container">
  <div class="card card-login mx-auto mt-5">
    <div class="card-header">Login</div>
    <div class="card-body">
      <form method = "post" action=<?php echo base_url("Ec_controller/login"); ?> >
        <div class="form-group">
          <label for="Username">Username</label>
          <input class="form-control" id="username" name="username" type="text" aria-describedby="emailHelp" placeholder="Enter Username">
        </div>
        <div class="form-group">
          <label for="Password">Password</label>
          <input class="form-control" id="password" name= "password" type="password" placeholder="Enter Password">
        </div>
        <div class="form-group">
          <div class="form-check">
            <label class="form-check-label">
              <!-- <input class="form-check-input" type="checkbox"> Remember Password</label> -->
          </div>
        </div>        
        <input type="submit" name="submit" id="submit" class="btn btn-primary btn-xm" value="Log In" />
      </form>
      <div class="text-center">
        <!-- <a class="d-block small" href="#">Forgot Password?</a> -->
      </div>
    </div>
  </div>
</div>

On my controller:

public function login(){


    $this->load->library('form_validation');

    $this->form_validation->set_rules('username', 'Username', 'required|trim|callback_validate_credentials');
    $this->form_validation->set_rules('password', 'Password', 'required|trim');

    $username = $this->input->post('username');
    $password = $this->input->post('password');
    $user_id ="";

    if($this->form_validation->run()){

            $data = array(
                'log_username' => $username,
                'is_logged_in' =>1

            );
            $this->session->set_userdata($data);
            $sql2 = $this->db->select("log_username, log_password,log_userlevel ")
                             ->from("ec_login")
                             ->where("log_username", $username)
                             ->get();



            foreach($sql2->result() as $user_level){

                $user_id = $user_level->log_userlevel;

            }
            if($user_id == 1){

                redirect('Ec_controller/view_admin');

            }elseif ($user_id == 2) {

                redirect('Ec_controller/view_it');
            }else{

                redirect("Ec_controller/index");
            }

    }else{

        redirect('Ec_controller/index');
    }


}

public function validate_credentials(){

    $this->load->model('Ec_model');

    if($this->Ec_model->can_log_in()){
        return true;
    }else{
        $this->form_validation->set_message('validate_credentials', '<font color=red>Incorrect username/password</font>');
        return false;
    }
}

and on my Model:

public function can_log_in(){

$this->db->where('log_username', $this->input->post('username'));
$this->db->where('log_password', password_verify($this->input->post('password'), PASSWORD_BCRYPT));       
$query = $this->db->get('ec_login');

  if($query->num_rows() == 1)
   {        
     return true;
   }else{
      return false;
   }
}

When I put username it validates the required username and the only problem is the password that whatever i put on the password it validated and redirect to specific page/views, it sounds crazy. A help and a little explanation would great help.

Controllers are not for accessing the database -- that's what the model is for. — mickmackusa, Jun 01 '23 at 22:21

score 1 · Answer 1 · edited Jun 01 '23 at 22:23

1

In your login function your aren't checking the password against the value in the database, so the query is just matching the username and ignoring the password. You would need to add the following to the db query:

$password_hash = password_hash($password, PASSWORD_BCRYPT);
...
->where('log_password', $password_hash)

You should also move this line: $this->session->set_userdata($data); to below the query, and put it in an if statement:

if ($sql2->num_rows()) {
    $this->session->set_userdata($data);
}

So the whole thing would look like:

$password_hash = password_hash($password, PASSWORD_BCRYPT);

$sql2 = $this->db->select("log_username, log_password,log_userlevel ")
                             ->from("ec_login")
                             ->where("log_username", $username)
                             ->where('log_password', $password_hash)
                             ->get();
if ($sql2->num_rows()) {
    $this->session->set_userdata($data);
}

edited Jun 01 '23 at 22:23

mickmackusa

43,625
12
83
136

answered Jan 08 '18 at 10:42

Adam B

165
2
7

In my `$this->form_validation->set_rules('username', 'Username', 'required|trim|callback_validate_credentials');` is the call back function `validate_credentials()` that is to check from my model class the credentials for my password on the database in Ec_model. – lothux1987 Jan 08 '18 at 10:56
I think you are supposed to put he validate_credentials function in a different place, have a look at https://stackoverflow.com/questions/12878863/adding-custom-callback-to-codeigniter-form-validation – Adam B Jan 08 '18 at 11:11
What i'm trying to get here is to check if input password on the form is the same as in the database password. Example: form input password is _abcd_ and on my database password is _cdef_. But when i put **whatever** password on the form . Example: form input password were ae,ui,ou the values are pass to controller and model and **it redirects to specific page/views**. – lothux1987 Jan 08 '18 at 11:27
Controllers are not for accessing the database -- that's what the model is for. – mickmackusa Jun 01 '23 at 22:24

score 1 · Answer 2 · answered Jan 09 '18 at 07:31

Solved it.

I was so totally dumb for not reading carefully what the use of password_verify() on PHP Manual. Well I finally get it right now. Here's my answer to my question an Updated One.

public function login(){


$this->load->library('form_validation');

$this->form_validation->set_rules('username', 'Username', 'required|trim');
$this->form_validation->set_rules('password', 'Password', 'required|trim');

$username = $this->input->post('username');
$password = $this->input->post('password');
$user_id ="";

if($this->form_validation->run()!= true){


        redirect('Ec_controller/index');


}else{



        $sql2 = $this->db->select("log_username, log_password,log_userlevel ")
                         ->from("ec_login")
                         ->where("log_username", $username)
                         ->get();



        foreach($sql2->result() as $user_level){

            $user_id = $user_level->log_userlevel;
            $user_password_db = $user_level->log_password;

        }

        $data = array(

            'log_username'  =>$username,
            'log_userlevel' =>$user_id,
            'log_password'  =>$user_password_db,
            'is_logged_in'  =>1

        );
        $this->session->set_userdata($data);


        if(password_verify($password,$user_password_db) && $user_id == 1){

            redirect('Ec_controller/view_admin');


        }elseif (password_verify($password,$user_password_db) && $user_id == 2) {

            redirect('Ec_controller/view_it');
        }else{

            redirect("Ec_controller/index");
        }





}

}

This gives me headache but that was worth it and I'm happy for the outcome.

Controllers are not for accessing the database -- that's what the model is for. — mickmackusa, Jun 01 '23 at 22:24

score 0 · Answer 3 · answered Jan 10 '18 at 09:59

0

callback in your controller:

public function password_check($str)
{
   if (preg_match('#[0-9]#', $str) && preg_match('#[a-zA-Z]#', $str)) {
     return TRUE;
   }
   return FALSE;
}
Then, update your rule to use it:

$this->form_validation->set_rules('password', 'Password', 'required|matches[passconf]|min_length[8]|alpha_numeric|callback_password_check');

answered Jan 10 '18 at 09:59

sooraj J

1
1

not updating password but checking if user input password is the same as in database user password. – lothux1987 Jan 10 '18 at 10:14
public function login($data) { $condition = "user_name =" . "'" . $data['username'] . "' AND " . "user_password =" . "'" . md5($data['password']) . "'"; $this->db->select('*'); $this->db->from('user_login'); $this->db->where($condition); $this->db->limit(1); $query = $this->db->get(); if ($query->num_rows() == 1) { return true; } else { return false; } – sooraj J Jan 10 '18 at 10:26

Password Validation in Codeigniter

3 Answers3