Problems logging in using the crypt () function in PHP

1

I'm returning to the PHP world after a long winter. I took an example user registry that uses MD5 as the encryption standard and now I'm trying to login to a test user because I need to change the default to crypt (Blowfish).

The password recording is apparently working correctly. I even checked that it starts with "$ 1 $", which is the default for Blowfish, but when I try to login to this user, the password I am typing does not match the password that is in the MySQL. p>

I have tried to adapt my code in all ways and I can not get it right.

Here is an excerpt from the function I use to validate the password (still in MD5):

public function login($email,$upass)
{
    try
    {
        $stmt = $this->conn->prepare("SELECT * FROM TBL_USERS WHERE EMAIL=:email_id");
        $stmt->execute(array(":email_id"=>$email));
        $userRow=$stmt->fetch(PDO::FETCH_ASSOC);

        if($stmt->rowCount() == 1)
        {
            if($userRow['USER_STATUS']=="Y")
            {
                if($userRow['PASSWORD']==$upass)
                {
                    $_SESSION['userSession'] = $userRow['USER_ID'];
                    return true;
                }
                else
                {
                    header("Location: index.php?error");
                    exit;
                }
            }
            else
            {
                header("Location: index.php?inactive");
                exit;
            }   
        }
        else
        {
            header("Location: index.php?error");
            exit;
        }       
    }
    catch(PDOException $ex)
    {
        echo $ex->getMessage();
    }
}

Can anyone help me? Do you need any more data? I know the best way is to try and create 99.999% of my site just by browsing and reminding ... That's all that's left!

Thank you all!

    
asked by anonymous 12.07.2017 / 01:34

1 answer

0

So I noticed, you are not generating the password hash that the user entered again during login.

Change the following line:

if($userRow['PASSWORD']==$upass)

To:

if($userRow['PASSWORD']==crypt($upass))

Remembering that Blowfish works with a processing cost parameter. So you need to apply the same cost that you are applying at the time of registering the user.

    
12.07.2017 / 03:05