I created a php login web application following a tutorial on the net. I followed this tutorial: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL
Except from the login function, I fetched all the other code form github here: https://github.com/peredurabefrog/phpSecureLogin
When I have done everything exactly as described, the logging does not work I tried to find the point of failure by adding a lot of echo statementsto see where it fails and found it in login function at the call of password_verify():
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
echo "<p>START USER CHECK</p>";
if ($stmt = $mysqli->prepare("SELECT id, username, password
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password);
$stmt->fetch();
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
echo "<p>USER IN DB WITH EMAIL: $stmt->num_rows</p>";
echo "<p>PW, UN, DBPW: $user_id, $username, $db_password</p>";
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
echo "<p>WE ARE BRUTING</p>";
return false;
} else {
echo "<p>AT LEAST WE ARE NOT BRUTING</p>";
// Check if the password in the database matches
// the password the user submitted. We are using
// the password_verify function to avoid timing attacks.
if (password_verify($password, $db_password)) {
echo "<p>PW VERIFIED</p>";
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $db_password . $user_browser);
// Login successful.
return true;
} else {
echo "<p>PW NOT VERIFIED</p>";
echo "<p>Password from form (hashed with sha512?): $password</br>Password from DB: $db_password</p>";
// Password is not correct
// We record this attempt in the database
$now = time();
//$mysqli->query("INSERT INTO login_attempts(user_id, time) VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
Result:
Processing login
USER CHECK
USER IN DB WITH EMAIL: 1
PW, UN, DBPW: 1, sec_user, $2y$10$IrzYJi10j3Jy/K6jzSLQtOLif1wEZqTRQoK3DcS3jdnFEhL4fWM4G
AT LEAST WE ARE NOT BRUTING
PW NOT VERIFIED
Password from form (hashed with sha512?): 445fc3655cede6a6c841d08f0776fac92a0118d1d1597046e09909310b2664538642292515aee4737c39826d70508466f5df36417f09274cb470ca4b6857be7a Password from DB: $2y$10$IrzYJi10j3Jy/K6jzSLQtOLif1wEZqTRQoK3DcS3jdnFEhL4fWM4G
I can not see the problem, is the hashed password incorrect?
I have put some output in the forms.js script, ands printed the none-hashed and hashed pw.
function formhash(form, password) {
// Create a new element input, this will be our hashed password field.
var p = document.createElement("input");
// Add the new element to our form.
form.appendChild(p);
p.name = "p";
p.type = "hidden";
p.value = hex_sha512(password.value);
alert("PW: "+password.value+" -- Hashed: "+p.value);
// Make sure the plaintext password doesn't get sent.
password.value = "";
// Finally submit the form.
form.submit();
}
PW: 6ZaxN2Vzm9NUJT2y -- Hashed: 445fc3655cede6a6c841d08f0776fac92a0118d1d1597046e09909310b2664538642292515aee4737c39826d70508466f5df36417f09274cb470ca4b6857be7a
I have checked other simular question, but their solutions failed or did not apply to my problem.
Sorry, I am lost.