How to check an encrypted password during Login?
When I try to log in:
If I use the wrong username and password, only the contents of
header
andfooter
appear.-
If I use the correct username and password, the login does not recognize the user:
"Wrong username and password combination" .<?php $page = 'Login'; session_start(); include 'header.php'; if(isset($_SESSION['username'])){ header('location: control-painel.php'); } else{ $user_error = ''; $pass_error = ''; $login_error = ''; if(isset($_POST['login'])){ $username = $mysqli -> $_POST['username']; $password = $mysqli -> $_POST['password']; $cost = '11'; $salt = 'Cf1f11ePArKlBJomM0F6aJ'; $password_hash = crypt($password, '$2a$' . $cost . '$' . $salt . '$'); $id = 0; if(empty($username)){ $user_error = 'Please insert a username'; } if(empty($password)){ $pass_error = 'Please insert a password'; } if(!empty($username) && !empty($password)){ $stmt = $mysqli -> prepare('SELECT id FROM user WHERE username = ? AND password = ?'); $stmt -> bind_param("ss", $username, $password_hash); $stmt -> execute(); $stmt -> bind_result($id); $stmt -> fetch(); if($id){ $login_error = 'Wrong username and password combination'; } } } if(empty($user_error)&& empty($pass_error)&& empty($login_error)&& isset($_POST['login'])){ $stmt = $mysqli -> prepare('SELECT id FROM user WHERE username = ? AND password = ?'); $stmt -> bind_param("ss", $username, $password_hash); $stmt -> execute(); $stmt -> bind_result($id); $stmt -> fetch(); if($id){ session_start(); $_SESSION['username'] = $username; header('location: control-painel.php'); } } else{ ?> <div class="message"> <br><br> <?php echo $user_error; ?><br><br> <?php echo $pass_error; ?><br><br> <?php echo $login_error; ?><br><br> <br><br> </div> <div id="form" class="bradius"> <div class="content"> <form method="post"> <label>Username: </label> <input type="text" name="username" class="text bradius"> <label>Password: </label> <input type="password" name="password" class="text bradius"> <input type="submit" class="submitbutton bradius" name="login" value="Login"> </form> </div>
<?php } } include "footer.php"; ?>
1
1 answers
Important this answer was given to the situation posed in the question.
Do not use
crypt
and Salt fixed to save passwords, and in PHP use the functionpassword_hash
andpassword_verify
for passwords.
original answer:
Hash again the password that the user entered, and see if it hits the DB:
// Pego a senha do POST (adapte pro seu código)
$password = $_POST['password'];
// Aqui estamos fazendo o mesmo que você usou para encriptar. Mas dá pra melhorar isso.
$cost = '11';
$salt = 'Cf1f11ePArKlBJomM0F6aJ';
$password_hash = crypt($password, '$2a$' . $cost . '$' . $salt . '$');
// Agora comparamos o HASH da senha digitada com o HASH da senha salva
// porém, deste jeito, você está vulnerável a SQL Injection.
$mysqli->query(
"SELECT * FROM user WHERE username = '".$username."' AND password = '".$password_hash."'"
);
See how the above code looks using bind_param
, to avoid SQL Injection :
// Pego a senha do POST (adapte pro seu código)
$password = $_POST['password'];
// Inicializamos o id do usuário com 0 para usar no fetch()
$idUsuario = 0;
// Aqui estamos fazendo o mesmo que você usou para encriptar. Mas dá pra melhorar isso.
$cost = '11';
$salt = 'Cf1f11ePArKlBJomM0F6aJ';
$password_hash = crypt($password, '$2a$' . $cost . '$' . $salt . '$');
// Agora comparamos o HASH da senha digitada com o HASH da senha salva:
$query = 'SELECT id FROM user WHERE username = ? AND password = ?';
$stmt = $mysqli->prepare( $query );
$stmt->bind_param("ss", $username, $password_hash );
$stmt->execute();
// Aqui pegamos o resultado.
// se for mais de um campo, pode ser bind_result( $idusuario, $username, $email...
$stmt->bind_result( $idUsuario );
$stmt->fetch();
if ( $idUsuario ) {
echo 'Logado';
} else {
echo 'Usuario e/ou senha invalidos';
}
Answer updated with question edit:
Follows refactoring using the principles indicated:
<?php
$page = 'Login';
session_start();
include 'header.php';
$user_error = '';
$pass_error = '';
if(isset($_SESSION['username'])){
header('location: control-painel.php');
} else {
if( isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$cost = '11';
$salt = 'Cf1f11ePArKlBJomM0F6aJ';
$password_hash = crypt($password, '$2a$' . $cost . '$' . $salt . '$');
$id = 0;
if(empty($username)){
$user_error = 'Please insert a username';
}
if(empty($password)){
$pass_error = 'Please insert a password';
}
if( empty( $user_error ) && empty( $pass_error ) ) {
$mysqli = new mysqli//ABRIR SUA CONEXAO AQUI CASO NAO ESTEJA NO HEADER
$stmt = $mysqli->prepare( 'SELECT id FROM user WHERE username = ? AND password = ?' );
$stmt->bind_param( 'ss', $username, $password_hash );
$stmt->execute();
$stmt->bind_result( $id );
$stmt->fetch();
if($id){
$_SESSION['username'] = $username;
header('location: control-painel.php');
die();
} else {
$user_error = 'User or Password invalid';
}
}
}
}
?>
<div class="message">
<br><br>
<?php echo $user_error; ?><br><br>
<?php echo $pass_error; ?><br><br>
<br><br>
</div>
<div id="form" class="bradius">
<div class="content">
<form method="post">
<label>Username: </label>
<input type="text" name="username" class="text bradius">
<label>Password: </label>
<input type="password" name="password" class="text bradius">
<input type="submit" class="submitbutton bradius" name="login" value="Login">
</form>
</div>
</div>
<?php
include "footer.php";
?>
2
Author: Bacco, 2020-06-11 14:45:34