Login with Sha256

Asked

Viewed 154 times

1

Good afternoon to all,

I have a problem that has been puzzling me for a few days now, my boss and trainee advisor proposed me to make an added security on the site and for that I would have to use a password hash, after a lot of research I could not log in the accounts previously "encrypted" and I can’t find a way to find my problem .

Registration page

include("connect.php");

function generateSalt(){
  $characters = '0123456789abcdef';
  $length = 64; 

  $string = '';
  for ($max = mb_strlen($characters) - 1, $i = 0; $i < $length; ++ $i)
  {
    $string .= mb_substr($characters, mt_rand(0, $max), 1);
  }
  return $string;
}


$userAccountInput = $_POST['userName'];
$userPasswordInput = $_POST['pass'];
$salt = generateSalt();
$hash = hash_hmac("sha256", $userPasswordInput, $salt);

$sql = "INSERT INTO username VALUES (NULL,'$userAccountInput','$salt','$hash');"; 

$resultado = mysql_query ($sql);

Login page

function testPassword($fPassword, $fSaltFromDatabase, $fHashFromDatabase){
              if (hash_hmac("sha256", $fPassword, $fSaltFromDatabase) === $fHashFromDatabase){
                  return(true);
                  }else{
                  return(false);
  }
  }


function SignIn() 
{ 
//session_start(); 
if(!empty($_POST['userName']) || !empty($_POST['pass'])) 
{

                $query = mysql_query("SELECT * FROM username where userName = '".$_POST['userName']."'") or die(mysql_error()); 
                $row = mysql_fetch_array($query) or die(mysql_error()); 

                //$userAccountInput = $_POST['userName'];
                $userPasswordInput = $_POST['pass'];
                $saltFromDatabase = $row['salt'];
                $hashFromDatabase = $row['hash'];

                $var_dump($row);

                if(testPassword($userPasswordInput, $saltFromDatabase, $hashFromDatabase)){
                    echo "<script type='text/javascript'>alert('LOGIN COM SUCESSO!')</script>";
                    header('Location: ./clientes.php');
                }else{

                    echo "<script type='text/javascript'>alert('LOGIN FALHADO!')</script>";     
                }               



}

} 
        if(isset($_POST['submit'])) 
        { 
            SignIn(); 
        } 
?>

I’m getting extremely frustrated because I’m already about 5 days away from changing the code and I can’t find a solution to this problem, I hope you can help, any help is welcome and very grateful, thank you all.

  • The function mysql_query should receive only one SQL query like a string. You’re sending or die(mysql_error()) as a function parameter as well, and it probably shouldn’t be like this.

  • Yes you’re right, I’ve formatted the code for that, but still the error remains.

  • The $_POST[username] as string is normal in PHP? It should not be separated from string with a +? Something like "SELECT * FROM username WHERE userName = " + $_POST[username]

  • I at least in the rest of my code never entered the "+" and always worked, I was missing the '', now I no longer see error to login, but does not return the echo of "Success" or "Failed", the page simply goes blank

  • Where is the implementation code of query insertion?

  • Thank you already managed to register in the database using this execution code $resultado = mysql_query ($sql); , but the login still doesn’t work

  • You shouldn’t take $saltFromDatabase = $row['salt'];? I don’t understand why you’re taking $_REQUEST.

  • I used the $_REQUEST to fetch the database the value, I modified it to your option but the result remains the same.

  • Have you checked that the data has been entered in the database correctly? Its functions are working all right: https://ideone.com/ALapd7

  • substitute $_POST[userName] for $_POST['userName']... Missing are the aspas

  • Yes the registration already works correctly, when I create an account in the database $userName $salt and the $hash, but when I log in, the page is blank and does not return any of the echo’s I made

  • I replaced how you tucked me in, but you gave me back this mistake Parse error: syntax error, Unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in C: xampp htdocs insysupgrades login.php on line 20

  • $_POST[\"username\"], must escape the quotation marks.

  • even that way, returns me the same error that I abhor

  • Can make a var_dump($row) and edit including in your question? PS: change the query to: "SELECT * FROM username where userName = '".$_POST['userName']."'"

  • I already changed the query to what you told me, and entered the var_dump($row); but I get nothing back ;

Show 11 more comments
No answers

Browser other questions tagged

You are not signed in. Login or sign up in order to post.