0

Okay so my code is a bit tricky i'm using password_hash and it works fine on my Register.php page but it fails to work when i try to implement into my code so here a fresh code if someone can try or point me in right direction on how this can be done i should of done this while coding it but i never. Code below i wanna implement password_hash and password_verify

if (!($user -> LoggedIn()))
{
if (isset($_POST['logINBoss']))
{
    $username = htmlspecialchars($_POST['username']);
    $password = htmlspecialchars($_POST['password']);
    $errors = array();
    if (!ctype_alnum($username) || strlen($username) < 3 || strlen($username) > 15)
    {
        //$errors[] = 'Username Must Be  Alphanumberic And 4-15 characters in length';
    }

    if (empty($username) || empty($password))
    {
        $errors[] = '<center><div class="sufee-alert alert with-close alert-danger alert-dismissible fade show" role="alert"><button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button><i class="mdi mdi-check-all"></i>Fill in all fields.</div></center>">';
    }
        $SQL = $odb->prepare("SELECT `status` FROM `users` WHERE `username` = :username");
        $SQL->execute(array(':username' => $username));
        $status = $SQL->fetchColumn(0);
        if($status == 1)
        {
        $SQL = $odb->prepare("SELECT `reason` FROM `bans` WHERE `username` = :username");
        $SQL->execute(array(':username' => $username));
        $ban = $SQL->fetchColumn(0);
        header('location: banned.php');
        }
    if (empty($errors))
    {
        $SQLCheckLogin = $odb -> prepare("SELECT COUNT(*) FROM `users` WHERE `username` = :username AND `password` = :password");
        $SQLCheckLogin -> execute(array(':username' => $username, ':password' => password_hash($password, PASSWORD_DEFAULT)));
        $countLogin = $SQLCheckLogin -> fetchColumn(0);
        if ($countLogin == 1)
        {
            $SQLGetInfo = $odb -> prepare("SELECT `username`, `ID`, `status` FROM `users` WHERE `username` = :username AND `password` = :password");
            $SQLGetInfo -> execute(array(':username' => $username, ':password' => password_hash($password, PASSWORD_DEFAULT)));
            $userInfo = $SQLGetInfo -> fetch(PDO::FETCH_ASSOC);
        if ($countLogin == 1)
        {
                $logAddr = $odb->prepare("INSERT INTO `login_history` (`username`,`ip`,`date`,`http_agent`) VALUES (:user, :ip, UNIX_TIMESTAMP(NOW()), :agent);");
                $logAddr->execute(array( ":user" => $username, ":ip" => $_SERVER['REMOTE_ADDR'], ":agent" => $_SERVER['HTTP_USER_AGENT']));
                htmlspecialchars($_SESSION['username'] = $userInfo['username']);
                htmlspecialchars($_SESSION['ID'] = $userInfo['ID']);
        echo '<center><div class="sufee-alert alert with-close alert-success alert-dismissible fade show" role="alert"><button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button><i class="mdi mdi-check-all"></i>Login Successful!</div></center><meta http-equiv="refresh" content="1;url=index.php">';
            }
            else
            {
        echo '<center><div class="sufee-alert alert with-close alert-danger alert-dismissible fade show" role="alert"><button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button><i class="mdi mdi-check-all"></i>You are Banned!</div></center>';
            }
        }
        else
        {
        echo '<center><div class="sufee-alert alert with-close alert-warning alert-dismissible fade show" role="alert"><button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button><i class="mdi mdi-check-all"></i>Login Failed!</div></center>';
        }
    }
    else
    {
        echo '<div class="alert alert-danger"><p><strong>ERROR:</strong><br />';
        foreach($errors as $error)
        {
            echo '-'.htmlspecialchars_decode($error).'<br />';
        }
        echo '</div>';
    }
    }

}

Private
  • 5
  • 5
  • Please try to narrow down your code to a specific implementation issue. It doesn't make much sense to reexplain what's already discussed in previous questions. – mario Mar 07 '19 at 01:02
  • i tried implementing this under the post variables near the top $hashed_password = password_hash($_POST["password"],PASSWORD_DEFAULT); if(password_verify($_POST["password"],$hashed_password)) but still wont work :/ – Private Mar 07 '19 at 01:05
  • That doesn't convey very well if you understood the basic usage. (See linked questions again). Otherwise, show the last attempt, cut down the code (neither bans nor login_history are relevant), showcase input, database contents, and var_dump samples in between. – mario Mar 07 '19 at 01:13
  • remove all of these `AND password = :password"` select hashed password (from db, lets call it `$row['password']`) and compare it to the plain text input password, `password_verify` does the encryption for you. `password_verify ( $_POST['password'], $row['password'] )` – ArtisticPhoenix Mar 07 '19 at 01:50

1 Answers1

1

When you get your user from the database, get it searching by username, not by username and password. Once you have the hash retrieved from the database, don't use password_hash because it will give you a different hash! better use password_verify: http://php.net/manual/en/function.password-verify.php

This way you can verify passwords, that is the reason why password_verify exists, because password_hash adds salt to secure the passwords in a better way, and gives a different hash even with the same plaintext.

Luis Cabrera Benito
  • 1,558
  • 13
  • 21
  • I'm confused i'm completely new to this and i've done non stop looking up but ain't getting far – Private Mar 07 '19 at 01:01