How to verify an encrypted password during login?

Navigation
1

When I try to log in:

  • If I use the wrong username and password, only the contents of header and footer appear.

  • If I use the correct username and password, login does not recognize the user: "Wrong username and password combination" . 

    <?php
$page = 'Login';
session_start();
include 'header.php';

if(isset($_SESSION['username'])){
header('location: control-painel.php'); 
}
else{

$user_error = '';
$pass_error = '';
$login_error = '';

if(isset($_POST['login'])){

$username = $mysqli -> $_POST['username'];
$password = $mysqli -> $_POST['password'];
$cost = '11';
$salt = 'Cf1f11ePArKlBJomM0F6aJ';
$password_hash = crypt($password, '$2a$' . $cost . '$' . $salt . '$');
$id = 0; 

if(empty($username)){
    $user_error = 'Please insert a username';
}
if(empty($password)){
    $pass_error = 'Please insert a password';
}
if(!empty($username) && !empty($password)){

    $stmt = $mysqli -> prepare('SELECT id FROM user WHERE username = ? AND password = ?');
    $stmt -> bind_param("ss", $username, $password_hash);
    $stmt -> execute();
    $stmt -> bind_result($id);
    $stmt -> fetch();

    if($id){
        $login_error = 'Wrong username and password combination';
    }
}
}
if(empty($user_error)&& empty($pass_error)&& empty($login_error)&& isset($_POST['login'])){

$stmt = $mysqli -> prepare('SELECT id FROM user WHERE username = ? AND password = ?');
$stmt -> bind_param("ss", $username, $password_hash);
$stmt -> execute();
$stmt -> bind_result($id);
$stmt -> fetch();

if($id){        
    session_start();
    $_SESSION['username'] = $username;
    header('location: control-painel.php');
}
}
else{
?>

<div class="message">
<br><br>
<?php echo $user_error; ?><br><br>
<?php echo $pass_error; ?><br><br>
<?php echo $login_error; ?><br><br>
<br><br>
</div>
<div id="form" class="bradius">
<div class="content">
    <form method="post">
        <label>Username: </label>
        <input type="text" name="username" class="text bradius">
        <label>Password: </label>
        <input type="password" name="password" class="text bradius">
        <input type="submit" class="submitbutton bradius" name="login" value="Login">
    </form>
</div>


    <?php
   }
}
include "footer.php";
?>
asked by anonymous 25.05.2014 / 20:37

1 answer

2
  

IMPORTANT This answer was given to the situation that was asked in the question.

     

Do not use crypt and salt fixed to save passwords, and in PHP use the function password_hash and password_verify for passwords.



Original answer:

Re-hash the password that the user has typed, and see if it hits the DB: 

// Pego a senha do POST (adapte pro seu código)
$password = $_POST['password'];

// Aqui estamos fazendo o mesmo que você usou para encriptar. Mas dá pra melhorar isso.
$cost = '11';
$salt = 'Cf1f11ePArKlBJomM0F6aJ';
$password_hash = crypt($password, '$2a$' . $cost . '$' . $salt . '$');

// Agora comparamos o HASH da senha digitada com o HASH da senha salva
// porém, deste jeito, você está vulnerável a SQL Injection.
$mysqli->query(
   "SELECT * FROM user WHERE username = '".$username."' AND password = '".$password_hash."'"
);

See how the above code is using bind_param , to avoid SQL Injection: 

// Pego a senha do POST (adapte pro seu código)
$password = $_POST['password'];

// Inicializamos o id do usuário com 0 para usar no fetch()
$idUsuario = 0;

// Aqui estamos fazendo o mesmo que você usou para encriptar. Mas dá pra melhorar isso.
$cost = '11';
$salt = 'Cf1f11ePArKlBJomM0F6aJ';
$password_hash = crypt($password, '$2a$' . $cost . '$' . $salt . '$');

// Agora comparamos o HASH da senha digitada com o HASH da senha salva:
$query = 'SELECT id FROM user WHERE username = ? AND password = ?';
$stmt = $mysqli->prepare( $query );
$stmt->bind_param("ss", $username, $password_hash );
$stmt->execute();

// Aqui pegamos o resultado.
// se for mais de um campo, pode ser bind_result( $idusuario, $username, $email...
$stmt->bind_result( $idUsuario );
$stmt->fetch();

if ( $idUsuario ) {
   echo 'Logado';
} else {
   echo 'Usuario e/ou senha invalidos';
}

Updated answer with question edit:

Follow refactoring using the indicated principles: 

<?php
   $page = 'Login';
   session_start();
   include 'header.php';
   $user_error = '';
   $pass_error = '';

   if(isset($_SESSION['username'])){
      header('location: control-painel.php'); 
   } else {

      if( isset($_POST['login'])) {
         $username = $_POST['username'];
         $password = $_POST['password'];
         $cost = '11';
         $salt = 'Cf1f11ePArKlBJomM0F6aJ';
         $password_hash = crypt($password, '$2a$' . $cost . '$' . $salt . '$');
         $id = 0; 

         if(empty($username)){
            $user_error = 'Please insert a username';
         }
         if(empty($password)){
            $pass_error = 'Please insert a password';
         }

         if( empty( $user_error ) && empty( $pass_error ) ) {
            $mysqli = new mysqli//ABRIR SUA CONEXAO AQUI CASO NAO ESTEJA NO HEADER
            $stmt = $mysqli->prepare( 'SELECT id FROM user WHERE username = ? AND password = ?' );
            $stmt->bind_param( 'ss', $username, $password_hash );
            $stmt->execute();
            $stmt->bind_result( $id );
            $stmt->fetch();

            if($id){
               $_SESSION['username'] = $username;
               header('location: control-painel.php');
               die();
            } else {
               $user_error = 'User or Password invalid';
            }
         }
      }
   }
?>

<div class="message">
   <br><br>
   <?php echo $user_error; ?><br><br>
   <?php echo $pass_error; ?><br><br>
   <br><br>
</div>
<div id="form" class="bradius">
   <div class="content">
      <form method="post">
         <label>Username: </label>
         <input type="text" name="username" class="text bradius">
         <label>Password: </label>
         <input type="password" name="password" class="text bradius">
         <input type="submit" class="submitbutton bradius" name="login" value="Login">
      </form>
   </div>
</div>

<?php
   include "footer.php";
?>
    
26.05.2014 / 03:04
Use of callback to work with asynchronous javascript How to do a select using Angularjs?