Login system I am working on keeps saying there is an error

I am working on a Login System using PHP and MySQL. I found some code to use to encrypt passwords. The sign-up works fine, but when I go to log in it keeps saying Incorrect password. I will provide a download for my source code.

The table layout is like this:


Hopefully you can set this up on a localhost and debug the code for me :slight_smile: thanks in advance!

login.zip (2.53 KB)

login.zip (2.53 KB)

Try to sign up a user using a password like abc123 and then post the password and the hash here. Could just be some error with the password itself.

Some notes regarding the code:

Most importantly, you are using mysqli which support parameterized queries, use them! As it stands your code is vulnerable to sql injection.

$user = $_POST[‘user’];
$email = $_POST[‘email’];
$cfemail = $_POST[‘cfemail’];
$pass = $_POST[‘pass’];
$cfpass = $_POST[‘cfpass’];

if($email && $cfemail && $pass && $cfpass)
    $user = $_POST['user'];
    $email = $_POST['email'];
    $cfemail = $_POST['cfemail'];
    $pass = $_POST['pass'];
    $cfpass = $_POST['cfpass'];[/php]

You don’t need to assign these variables twice.

[php]if(strlen($user) <= 25 && strlen($pass) <= 25)[/php]

You should not limit passwords to 25 characters.


You should also try to limit the nesting in your code, this file in particular has deep if-nesting which makes it uneccessary hard to read.

Well thanks for the advice, but its not much help.

Quite the opposite my friend, it’s probably the best help you never asked for… ;D

Well, this post wasn’t that helpful either, I asked for some more information to try to narrow this down…

ok, the password is: abc123 and the hash is: sha256:1000:sydt3AwTuFe5qu0AECajXxdfuIULM8oE:pALsvZeBEkwkh8QRq2T2t76g0r1DqLxt

Ok, so by adding this code to index.php we can make sure the password validation process works

[php]$password = ‘abc123’;
$hash = ‘sha256:1000:sydt3AwTuFe5qu0AECajXxdfuIULM8oE:pALsvZeBEkwkh8QRq2T2t76g0r1DqLxt’;

echo 'Password: ’ . $password . ‘
echo 'Hash: ’ . $hash . ‘
echo 'Verify: ’ . validate_password($password, $hash) . ‘


Password: abc123 Hash: sha256:1000:sydt3AwTuFe5qu0AECajXxdfuIULM8oE:pALsvZeBEkwkh8QRq2T2t76g0r1DqLxt Verify: 1

It works! So it seems there is some logic error somewhere in the code, will look into this later on :slight_smile:

I wasn’t going to reply, but I decided to anyways (maybe against my own better judgement. :D)
When I first started off writing PHP code, I attempted my writing my own password routine, but someone on a different forum corrected my own misguided way. He said why reinvent the wheel, when you have people on the internet that do write password routines as a living and do it securely. I use https://github.com/ircmaxell/password_compat/blob/master/lib/password.php hashing routine that was developed by some egghead at MIT, but there are other good password libraries out on the internet. Just do an internet search, for I would rather spend time writing code that deals with login/registration portion than spending time writing a password hashing routine. Besides the code that I would write for it would probably be insecure anyways. Just my .02 cents.

This is actually using a well known php implementation of pbkdf2

Sponsor our Newsletter | Privacy Policy | Terms of Service