HASH is not working correctly

1

Regardless of whether the password is correct or not, the message is always returned saying that the password is invalid.

make_login.php

<?
include "connection.php";
require "blowfish.php";

$login = $_POST['login_entrar'];
$senha = $_POST['senha_entrar'];

$sql = mysqli_query($coneccao, "SELECT * FROM usuarios");   


while($linha = mysqli_fetch_array($sql))
{
    $senha_db = $linha['senha'];
    $login_db = $linha['login'];
}

$cont = mysqli_num_rows($sql);

if($login_db != $login || $login == "")
{       
    echo "<meta http-equiv='refresh' content='0; url=index.php'>
    <script type='text/javascript'>alert('Este usuario não existe')</script>";      
}
else
{
    if(verifica_hash($senha, $senha_db))
    {
        echo "<meta http-equiv='refresh' content='0; url=index.php'>
        <script type='text/javascript'>alert('Senha incorreta')</script>";  
    }
    else
    {
        session_start();

        $_SESSION['login_usuario'] = $login;

        header("location: index.php");  
    }
}

mysqli_close($coneccao);
?>

make_cadastro.php

<?
include("connection.php");
require("blowfish.php");

$login = $_POST['login_cadastro'];
$senha = $_POST['senha_cadastro'];
$confirmarsenha = $_POST['confirmarsenha_cadastro'];
$email = $_POST['email_cadastro'];

if($senha != $confirmarsenha)
{   
    echo "<meta http-equiv='refresh' content='0; url=index.php'>
          <script type='text/javascript'>alert('As senhas estão diferentes')</script>";
}
else
{
    $sqlpegar = mysqli_query($coneccao, "SELECT * FROM usuarios");

    while($linha = mysqli_fetch_array($sqlpegar))
    {   
        $login_db = $linha['login'];
        $email_db = $linha['email'];
    }

    if($login_db == $login)
    {
        echo "  <meta http-equiv='refresh' content='0'>
                <script type='text/javascript'>alert('Esse usuario já existe')</script>";
    }
    if($email_db == $email)
    {
        echo "  <meta http-equiv='refresh' content='0'>
                <script type='text/javascript'>alert('Esse email já esta sendo usado')</script>";
    }
    else
    {
        $senha = hash_password($senha);
        $mysqli = new mysqli('localhost', 'root', '', '');
        $stmt = $mysqli->prepare("INSERT INTO usuarios(login, senha, email) VALUES (?, ?, ?)");
        $stmt->bind_param('sss', $login, $senha, $email);
        $stmt->execute();


        header("location: index.php");  
    }
}

mysqli_close($coneccao);
?>

blowfish.php

<?
function hash_password($password){
    $formato = "$2y$10$";
    $salt = salt(22);
    $formato_salt = $formato.$salt;
    $password_hash = crypt($password, $formato_salt);
    return $password_hash;
}
function salt($tamanho){
    $random = md5(uniqid(mcrypt_create_iv(22, MCRYPT_DEV_URANDOM), true));
    $base = base64_encode($random);
    $base64 = str_replace('+', '.', $base);
    $salt = substr($base64, 0, $tamanho);
    return $salt;
}
function verifica_hash($password, $hash_existente){
    $hash = crypt($password, $hash_existente);
    if($hash === $hash_existente){
        return true;
    } else {
        return false;
    }
}
?>

What's wrong?

    
asked by anonymous 12.05.2015 / 20:06

1 answer

1

It's a logic problem. The error is in how the password is evaluated in the verifica_hash function:

if(verifica_hash($senha, $senha_db)){
    echo "<meta http-equiv='refresh' content='0; url=index.php'>
    <script type='text/javascript'>alert('Senha incorreta')</script>";  
}
else{
    session_start();

    $_SESSION['login_usuario'] = $login;
    header("location: index.php");  
}
If the values match, the return is True , if not, False , but in the above code, when the password is correct the code you will run will be if() {..} and when you are wrong block, the else {..} block runs.

So, for the code to work correctly, invert the code blocks of the condition:

if(verifica_hash($senha, $senha_db)){ // A função retorna verdadeiro, a senha está correta
    session_start();
    $_SESSION['login_usuario'] = $login;

    header("location: index.php");         
}
else{   
    echo "<meta http-equiv='refresh' content='0; url=index.php'>
        <script type='text/javascript'>alert('Senha incorreta')</script>";  
}
    
12.05.2015 / 23:37