Login system I am working on keeps saying there is an error

I am working on a Login System using PHP and MySQL. I found some code to use to encrypt passwords. The sign-up works fine, but when I go to log in it keeps saying Incorrect password. I will provide a download for my source code.

The table layout is like this:

http://img706.imageshack.us/img706/5341/2n35.png

Hopefully you can set this up on a localhost and debug the code for me :slight_smile: thanks in advance!


login.zip (2.53 KB)

login.zip (2.53 KB)

Try to sign up a user using a password like abc123 and then post the password and the hash here. Could just be some error with the password itself.

Some notes regarding the code:

Most importantly, you are using mysqli which support parameterized queries, use them! As it stands your code is vulnerable to sql injection.

sign-up.php
[php]if(isset($_POST[‘user’]))
{
$user = $_POST[‘user’];
$email = $_POST[‘email’];
$cfemail = $_POST[‘cfemail’];
$pass = $_POST[‘pass’];
$cfpass = $_POST[‘cfpass’];

if($email && $cfemail && $pass && $cfpass)
{
    $user = $_POST['user'];
    $email = $_POST['email'];
    $cfemail = $_POST['cfemail'];
    $pass = $_POST['pass'];
    $cfpass = $_POST['cfpass'];[/php]

You don’t need to assign these variables twice.

[php]if(strlen($user) <= 25 && strlen($pass) <= 25)[/php]

You should not limit passwords to 25 characters.

[hr]

You should also try to limit the nesting in your code, this file in particular has deep if-nesting which makes it uneccessary hard to read.

Well thanks for the advice, but its not much help.

:o
Quite the opposite my friend, it’s probably the best help you never asked for… ;D

Well, this post wasn’t that helpful either, I asked for some more information to try to narrow this down…

ok, the password is: abc123 and the hash is: sha256:1000:sydt3AwTuFe5qu0AECajXxdfuIULM8oE:pALsvZeBEkwkh8QRq2T2t76g0r1DqLxt

Ok, so by adding this code to index.php we can make sure the password validation process works

[php]$password = ‘abc123’;
$hash = ‘sha256:1000:sydt3AwTuFe5qu0AECajXxdfuIULM8oE:pALsvZeBEkwkh8QRq2T2t76g0r1DqLxt’;

echo 'Password: ’ . $password . ‘
’;
echo 'Hash: ’ . $hash . ‘
’;
echo 'Verify: ’ . validate_password($password, $hash) . ‘
’;[/php]

Output:

Password: abc123 Hash: sha256:1000:sydt3AwTuFe5qu0AECajXxdfuIULM8oE:pALsvZeBEkwkh8QRq2T2t76g0r1DqLxt Verify: 1

It works! So it seems there is some logic error somewhere in the code, will look into this later on :slight_smile:

I wasn’t going to reply, but I decided to anyways (maybe against my own better judgement. :D)
When I first started off writing PHP code, I attempted my writing my own password routine, but someone on a different forum corrected my own misguided way. He said why reinvent the wheel, when you have people on the internet that do write password routines as a living and do it securely. I use https://github.com/ircmaxell/password_compat/blob/master/lib/password.php hashing routine that was developed by some egghead at MIT, but there are other good password libraries out on the internet. Just do an internet search, for I would rather spend time writing code that deals with login/registration portion than spending time writing a password hashing routine. Besides the code that I would write for it would probably be insecure anyways. Just my .02 cents.

This is actually using a well known php implementation of pbkdf2

Sponsor our Newsletter | Privacy Policy | Terms of Service