password_verify not matching passwords

332 views Asked by At

I created a php login web application following a tutorial on the net. I followed this tutorial: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

Except from the login function, I fetched all the other code form github here: https://github.com/peredurabefrog/phpSecureLogin

When I have done everything exactly as described, the logging does not work I tried to find the point of failure by adding a lot of echo statementsto see where it fails and found it in login function at the call of password_verify():

function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
echo "<p>START USER CHECK</p>";

if ($stmt = $mysqli->prepare("SELECT id, username, password 
    FROM members
   WHERE email = ?
    LIMIT 1")) {
    $stmt->bind_param('s', $email);  // Bind "$email" to parameter.
    $stmt->execute();    // Execute the prepared query.
    $stmt->store_result();

    // get variables from result.
    $stmt->bind_result($user_id, $username, $db_password);
    $stmt->fetch();

    if ($stmt->num_rows == 1) {
        // If the user exists we check if the account is locked
        // from too many login attempts 
        echo "<p>USER IN DB WITH EMAIL: $stmt->num_rows</p>";
        echo "<p>PW, UN, DBPW: $user_id, $username, $db_password</p>";
        if (checkbrute($user_id, $mysqli) == true) {
            // Account is locked 
            // Send an email to user saying their account is locked
            echo "<p>WE ARE BRUTING</p>";

            return false;
        } else {
            echo "<p>AT LEAST WE ARE NOT BRUTING</p>";

            // Check if the password in the database matches
            // the password the user submitted. We are using
            // the password_verify function to avoid timing attacks.
            if (password_verify($password, $db_password)) {

                echo "<p>PW VERIFIED</p>";

                // Password is correct!
                // Get the user-agent string of the user.
                $user_browser = $_SERVER['HTTP_USER_AGENT'];
                // XSS protection as we might print this value
                $user_id = preg_replace("/[^0-9]+/", "", $user_id);
                $_SESSION['user_id'] = $user_id;
                // XSS protection as we might print this value
                $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username);
                $_SESSION['username'] = $username;
                $_SESSION['login_string'] = hash('sha512', $db_password . $user_browser);
                // Login successful.
                return true;
            } else {

                echo "<p>PW NOT VERIFIED</p>";
                echo "<p>Password from form (hashed with sha512?): $password</br>Password from DB: $db_password</p>";

                // Password is not correct
                // We record this attempt in the database
                $now = time();
                //$mysqli->query("INSERT INTO login_attempts(user_id, time) VALUES ('$user_id', '$now')");
                return false;
            }
        }
    } else {
        // No user exists.
        return false;
    }
}

Result:

Processing login

USER CHECK

USER IN DB WITH EMAIL: 1

PW, UN, DBPW: 1, sec_user, $2y$10$IrzYJi10j3Jy/K6jzSLQtOLif1wEZqTRQoK3DcS3jdnFEhL4fWM4G

AT LEAST WE ARE NOT BRUTING

PW NOT VERIFIED

Password from form (hashed with sha512?): 445fc3655cede6a6c841d08f0776fac92a0118d1d1597046e09909310b2664538642292515aee4737c39826d70508466f5df36417f09274cb470ca4b6857be7a Password from DB: $2y$10$IrzYJi10j3Jy/K6jzSLQtOLif1wEZqTRQoK3DcS3jdnFEhL4fWM4G

I can not see the problem, is the hashed password incorrect?

I have put some output in the forms.js script, ands printed the none-hashed and hashed pw.

function formhash(form, password) {
// Create a new element input, this will be our hashed password field.
var p = document.createElement("input");

// Add the new element to our form.
form.appendChild(p);
p.name = "p";
p.type = "hidden";
p.value = hex_sha512(password.value);

alert("PW: "+password.value+" -- Hashed: "+p.value);

// Make sure the plaintext password doesn't get sent.
password.value = "";

// Finally submit the form.
form.submit();

}

PW: 6ZaxN2Vzm9NUJT2y -- Hashed: 445fc3655cede6a6c841d08f0776fac92a0118d1d1597046e09909310b2664538642292515aee4737c39826d70508466f5df36417f09274cb470ca4b6857be7a

I have checked other simular question, but their solutions failed or did not apply to my problem.

Sorry, I am lost.

0

There are 0 answers