Good afternoon everyone,
I have a problem that has intrigued me for a few days now, my boss and stage supervisor proposed me to do an increased security in the site and for this I would have to use a Hash of words passes, after much research I was unable to log into previously "encrypted" accounts and can not find a way to find my problem.
Log page
include("connect.php");
function generateSalt(){
$characters = '0123456789abcdef';
$length = 64;
$string = '';
for ($max = mb_strlen($characters) - 1, $i = 0; $i < $length; ++ $i)
{
$string .= mb_substr($characters, mt_rand(0, $max), 1);
}
return $string;
}
$userAccountInput = $_POST['userName'];
$userPasswordInput = $_POST['pass'];
$salt = generateSalt();
$hash = hash_hmac("sha256", $userPasswordInput, $salt);
$sql = "INSERT INTO username VALUES (NULL,'$userAccountInput','$salt','$hash');";
$resultado = mysql_query ($sql);
Login Page
function testPassword($fPassword, $fSaltFromDatabase, $fHashFromDatabase){
if (hash_hmac("sha256", $fPassword, $fSaltFromDatabase) === $fHashFromDatabase){
return(true);
}else{
return(false);
}
}
function SignIn()
{
//session_start();
if(!empty($_POST['userName']) || !empty($_POST['pass']))
{
$query = mysql_query("SELECT * FROM username where userName = '".$_POST['userName']."'") or die(mysql_error());
$row = mysql_fetch_array($query) or die(mysql_error());
//$userAccountInput = $_POST['userName'];
$userPasswordInput = $_POST['pass'];
$saltFromDatabase = $row['salt'];
$hashFromDatabase = $row['hash'];
$var_dump($row);
if(testPassword($userPasswordInput, $saltFromDatabase, $hashFromDatabase)){
echo "<script type='text/javascript'>alert('LOGIN COM SUCESSO!')</script>";
header('Location: ./clientes.php');
}else{
echo "<script type='text/javascript'>alert('LOGIN FALHADO!')</script>";
}
}
}
if(isset($_POST['submit']))
{
SignIn();
}
?>
I'm getting frustrated because I'm about 5 days to change the code and I can not find a solution to this problem, I hope you can help, any help is welcome and thank you very much, thank you very much.