I am working on a Login System using PHP and MySQL. I found some code to use to encrypt passwords. The sign-up works fine, but when I go to log in it keeps saying Incorrect password. I will provide a download for my source code.
The table layout is like this:
http://img706.imageshack.us/img706/5341/2n35.png
Hopefully you can set this up on a localhost and debug the code for me 
thanks in advance!
login.zip (2.53 KB)
login.zip (2.53 KB)
Try to sign up a user using a password like abc123 and then post the password and the hash here. Could just be some error with the password itself.
Some notes regarding the code:
Most importantly, you are using mysqli which support parameterized queries, use them! As it stands your code is vulnerable to sql injection.
sign-up.php
[php]if(isset($_POST[‘user’]))
{
$user = $_POST[‘user’];
$email = $_POST[‘email’];
$cfemail = $_POST[‘cfemail’];
$pass = $_POST[‘pass’];
$cfpass = $_POST[‘cfpass’];
if($email && $cfemail && $pass && $cfpass)
{
$user = $_POST['user'];
$email = $_POST['email'];
$cfemail = $_POST['cfemail'];
$pass = $_POST['pass'];
$cfpass = $_POST['cfpass'];[/php]
You don’t need to assign these variables twice.
[php]if(strlen($user) <= 25 && strlen($pass) <= 25)[/php]
You should not limit passwords to 25 characters.
[hr]
You should also try to limit the nesting in your code, this file in particular has deep if-nesting which makes it uneccessary hard to read.
Well thanks for the advice, but its not much help.
:o
Quite the opposite my friend, it’s probably the best help you never asked for… ;D
Well, this post wasn’t that helpful either, I asked for some more information to try to narrow this down…
ok, the password is: abc123 and the hash is: sha256:1000:sydt3AwTuFe5qu0AECajXxdfuIULM8oE:pALsvZeBEkwkh8QRq2T2t76g0r1DqLxt
Ok, so by adding this code to index.php we can make sure the password validation process works
[php]$password = ‘abc123’;
$hash = ‘sha256:1000:sydt3AwTuFe5qu0AECajXxdfuIULM8oE:pALsvZeBEkwkh8QRq2T2t76g0r1DqLxt’;
echo 'Password: ’ . $password . ‘
’;
echo 'Hash: ’ . $hash . ‘
’;
echo 'Verify: ’ . validate_password($password, $hash) . ‘
’;[/php]
Output:
Password: abc123
Hash: sha256:1000:sydt3AwTuFe5qu0AECajXxdfuIULM8oE:pALsvZeBEkwkh8QRq2T2t76g0r1DqLxt
Verify: 1
It works! So it seems there is some logic error somewhere in the code, will look into this later on 
I wasn’t going to reply, but I decided to anyways (maybe against my own better judgement. :D)
When I first started off writing PHP code, I attempted my writing my own password routine, but someone on a different forum corrected my own misguided way. He said why reinvent the wheel, when you have people on the internet that do write password routines as a living and do it securely. I use https://github.com/ircmaxell/password_compat/blob/master/lib/password.php hashing routine that was developed by some egghead at MIT, but there are other good password libraries out on the internet. Just do an internet search, for I would rather spend time writing code that deals with login/registration portion than spending time writing a password hashing routine. Besides the code that I would write for it would probably be insecure anyways. Just my .02 cents.
This is actually using a well known php implementation of pbkdf2