what should I do to authenticate user correctly [duplicate]

Question

what should I do to authenticate user correctly [duplicate]

Navigation

#1 by (0 votes)
#2 by (0 votes)

-1

I need help to authenticate users on my site but I do not know what the sql variable that estanciei returns when it finds the right user what I put in if?

<?php 
include  'conexao.php';
$conexao = conexao::getInstance();

$login = $_POST['login']; 
$senha = $_POST['senha'];

$sql = "SELECT * FROM tabela  WHERE login = '$login' AND senha = '$senha'"; 

if ($sql== ? ) {
    session_start();
    $_SESSION['login']=$_POST['login'];
    $_SESSION['login']=$_POST['senha'];
    echo "login efetuado ";
    header("paineladm.php");
}else {
    echo "Login ou senha invalidos tente novamente...";

    header('login.php');
}

php sql if else

asked by anonymous 07.06.2018 / 19:44

2 answers

Viewbag, passing controller value to page razor How should I structure my database?

score 0 · Answer 1

User validation and a tricky thing, you have to think hard about the security issue. I'll let you use PDO, check out the manual .

I'll leave a simple example for you to have a foundation

<?php
if(isset($_POST["login"])&& $_POST["login"]=="login"){
  $usuario = trim($_POST["usuario"]);
  $senha = trim($_POST["senha"]);

  if (empty($usuario)) {
    echo  "<script>alert('Informe o usuário!');</script>";
  }else if (empty($senha)) {
    echo  "<script>alert('Informe a senha!');</script>";
  }else{
    try {
      $stmt = $pdoMySql ->prepare("SET CHARACTER SET utf8");
      $stmt->execute();
      $stmt = $pdoMySql ->prepare("SELECT * FROM usuario WHERE  usuario = ?, senha = ? LIMIT 1;");
      $stmt->bindParam(1, $usuario);
      $stmt->bindParam(2, $senha);
      $stmt->execute();

      //Se cair aqui e porque usuário exisste
      if ($linha = $stmt->fetch(PDO::FETCH_ASSOC)){
        //Controle para sessão em outras páginas
        $_SESSION["loginok"] = true;
        //caso precisar esses dados em outras pagi8nas
        $_SESSION['usuario'] = $usuario;
        $_SESSION['senha'] = $senha;
        echo " <script language= \"JavaScript\"> location.href=\"index.php\"  </script>";
      } else {
        echo  "<script>alert('Usuário não existe!');</script>";
      }

    } catch (\Exception $e) {
      //erro
    }
  }
}
?>

score 0 · Answer 2

Using what PHP provides, you should work with PHP's Password Hashing functions. / p>

password_hash

You must create and store the hash of the password in some repository (database, etc ...). To perform the hash, you must use the password_hash

$passwordHash = password_hash($_POST['password'] , PASSWORD_DEFAULT);

In the first parameter is the password you want to store and the second is the algorithm that will be used for the password. According to the manual (which you can also read in this answer ), it is recommended to use PASSWORD_DEFAULT .

The hash that is generated will always be different, and as an example, for the password teste123 , generated the hash below:

$ 2 and $ 10 $ kPsVvPp8Z1K73vEW / fHcHewbkkQNTN0JOdLPEwoydf8y4pO32Ixqu

You can check this link for hash generation: link

password_verify

When validating the password, you must use the password_verify function. As the example below:

password_verify ($_POST['senha'], $hash);

Being the variable $hash , the hash that was returned by the password_hash function and saved in storage.

Example:

$senha = "teste123";
$hash = '$2y$10$kPsVvPp8Z1K73vEW/fHcHewbkkQNTN0JOdLPEwoydf8y4pO32Ixqu';

echo password_verify ($senha , $hash) ? 'Senha válida' : "Senha inválida";

Output:

Valid password

Working Code: link

Authentication and Security

To further improve authentication security, there are a few steps to follow. The first is not to differentiate between invalid user or password. Well, attacking, knowing that a user is valid, will only focus on it to try to locate the password.

Secondly, there is something called Timming Attack. Which, in short, consists of checking how long the algorithm takes to respond that the password is invalid and comparing these times with different passwords, to find correct characters within a password. You can read about this this link

The password_verify function already has defense against Timming Attack, but should be used correctly.

With this in mind, we can get to the following script:

//criado utilizando o seguinte código: password_hash("dummy_password" , PASSWORD_DEFAULT);
define("DUMMY_PASSWORD" , '$2y$10$bev5nl962WWcwa1G2gyXyunkKY77Xf7OTr.1I3zcl7Qd4zFYCqXjC');

$usuario = $_POST['usuario'];

$pdo = new \PDO(/** dados de conexão**/);
$statement = $pdo->prepare('SELECT * FROM user WHERE login = ?');
$statement->execute([$usuario]);
$row = $statement->fetch(PDO::FETCH_ASSOC);

if(!$row)
{
    // Usuário não existe
    // A validação é feita em uma senha qualquer 
    //para que o tempo de resposta entre uma consulta que o usuário não exista
    //e uma consulta que o usuário exista e a senha esteja errada seja o mesmo.
    password_verify("" , DUMMY_PASSWORD);

    throw new \RuntimeException('Usuário/Senha não confere');//usuário não existe, mas a mensagem é genérica para evitar força bruta
}

if(!password_verify($_POST['senha'] , $row['password']))
{
    //usuário existe, mas a mensagem é genérica para evitar força bruta
    throw new \RuntimeException('Usuário/Senha não confere');
}

echo 'usuário logado';

The PDO library was used to simplify the connection to the database and to protect against SQL Injection .

Remembering, this is just an example algorithm, with a secure and effective way of login / authentication. The details of session creation, redirection, should be implemented as needed.