So I have been using this login and register script for about 3 projects and it worked great. But for the current project its creating certain problems. The generated password doesnt match with the one in the DB and hence couldnt login.
The register page is given below
<?phpinclude_once 'includes/register.inc.php';include_once 'includes/functions.php';?><html> <head> <meta charset="UTF-8"> <title>Secure Login: Registration Form</title> <script type="text/JavaScript" src="js/sha512.js"></script> <script type="text/JavaScript" src="js/forms.js"></script> <link rel="stylesheet" href="styles/main.css" /> </head> <body> <?php if (!empty($error_msg)) { echo $error_msg; } ?> <form action="<?php echo esc_url($_SERVER['PHP_SELF']); ?>" method="post" name="registration_form"> Username: <input type='text' name='username' id='username' /><br> Email: <input type="text" name="email" id="email" /><br> Password: <input type="password" name="password" id="password"/><br> Confirm password: <input type="password" name="confirmpwd" id="confirmpwd" /><br> <input type="button" value="Register" onclick="return regformhash(this.form, this.form.username, this.form.email, this.form.password, this.form.confirmpwd);" /> </form> <p>Return to the <a href="index.php">login page</a>.</p> </body></html>register.inc.php Page given below
<?phpinclude_once 'db_connect.php';include_once 'psl-config.php';$error_msg = "";if (isset($_POST['username'], $_POST['email'], $_POST['p'])) { // Sanitize and validate the data passed in $username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING); $email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL); $email = filter_var($email, FILTER_VALIDATE_EMAIL); if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { // Not a valid email $error_msg .= '<p class="error">The email address you entered is not valid</p>'; } $password = filter_input(INPUT_POST, 'p', FILTER_SANITIZE_STRING); if (strlen($password) != 128) { // The hashed pwd should be 128 characters long. // If it's not, something really odd has happened $error_msg .= '<p class="error">Invalid password configuration.</p>'; } // Username validity and password validity have been checked client side. // This should should be adequate as nobody gains any advantage from // breaking these rules. // $prep_stmt = "SELECT license_num FROM doctor_details WHERE email = ? LIMIT 1"; $stmt = $mysqli->prepare($prep_stmt); // check existing email if ($stmt) { $stmt->bind_param('s', $email); $stmt->execute(); $stmt->store_result(); if ($stmt->num_rows == 1) { // A user with this email address already exists $error_msg .= '<p class="error">A user with this email address already exists.</p>'; $stmt->close(); } $stmt->close(); } else { $error_msg .= '<p class="error">Database error Line 39</p>'; $stmt->close(); } // check existing username $prep_stmt = "SELECT license_num FROM doctor_details WHERE username = ? LIMIT 1"; $stmt = $mysqli->prepare($prep_stmt); if ($stmt) { $stmt->bind_param('s', $username); $stmt->execute(); $stmt->store_result(); if ($stmt->num_rows == 1) { // A user with this username already exists $error_msg .= '<p class="error">A user with this username already exists</p>'; $stmt->close(); } $stmt->close(); } else { $error_msg .= '<p class="error">Database error line 55</p>'; $stmt->close(); } // TODO: // We'll also have to account for the situation where the user doesn't have // rights to do registration, by checking what type of user is attempting to // perform the operation. if (empty($error_msg)) { // Create a random salt //$random_salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE)); // Did not work $random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true)); // Create salted password $password = hash('sha512', $password . $random_salt); // Insert the new user into the database if ($insert_stmt = $mysqli->prepare("INSERT INTO doctor_details (username, email, password, salt) VALUES (?, ?, ?, ?)")) { $insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt); // Execute the prepared query. if (! $insert_stmt->execute()) { header('Location: ../error.php?err=Registration failure: INSERT'); } } header('Location: ./register_success.php'); }}?>The registering work fine.. and the data gets entered onto DB. for illustration i have created a test record with email = test@testing.compassword = Pass123
Password and Salt as entered in DBPassword : 1ca2a523757d457a4df261c647dc45349ca8c721f76fa2b54e
Salt :ae2788757a98b0750d0aaecb9735cc27d92d29413cab1c89fb741cf735fd551322f94993b7cb79cd4ade2dea221142dcac7aa380b776db7fa05bf6c6b5d32056
The hashed password when i try to login is
d01feaafb5359e1fa2c020a76ebb526fc75786b0b837e0c9a4dcabd58ad734efa469513cf66a272d5ef4b1b9646b4b39f50807afc8f8663e1c6bb23552b04cd6Login Page
if (isset($_POST['email'], $_POST['p'])) { $email = $_POST['email']; $password = $_POST['p']; // The hashed password. if (login($email, $password, $mysqli) == true) { // Login success header('Location: ../protected_page.php'); } else { // Login failed header('Location: ../login.php?error=1'); }}Login Function given below
function login($email, $password, $mysqli) { // Using prepared statements means that SQL injection is not possible. if ($stmt = $mysqli->prepare("SELECT license_num, username, password, salt FROM doctor_details WHERE email = ? LIMIT 1")) { $stmt->bind_param('s', $email); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); // get variables from result. $stmt->bind_result($user_id, $username, $db_password, $salt); $stmt->fetch(); // hash the password with the unique salt. $password = hash('sha512', $password . $salt); if ($stmt->num_rows == 1) { // If the user exists we check if the account is locked // from too many login attempts if (checkbrute($user_id, $mysqli) == true) { // Account is locked // Send an email to user saying their account is locked return false; } else { // Check if the password in the database matches // the password the user submitted. if ($db_password == $password) { // Password is correct! // Get the user-agent string of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; // XSS protection as we might print this value $user_id = preg_replace("/[^0-9]+/", "", $user_id); $_SESSION['user_id'] = $user_id; // XSS protection as we might print this value $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); $_SESSION['username'] = $username; $_SESSION['login_string'] = hash('sha512', $password . $user_browser); // Login successful. return true; } else { // Password is not correct // We record this attempt in the database $now = time(); $mysqli->query("INSERT INTO login_attempts(user_id, time) VALUES ('$user_id', '$now')"); return false; } } } else { // No user exists. return false; } }}The DB structure is
license_num ( Primary)emailpasswordusernamesalt
Is it because license_num is not Auto Increment?
Thanks if you could help out
I'm trying to mimic the creation of password strings as they appear in /etc/shadow.
This is what I've got so far, but the encrypted passwords don't match, when I use the same password and the same salt.
5000 rounds is standard for crypt, so I used that as well, but I don't see where exacly I made a mistake:
I'm doing this in Perl, this is the relevant porion:
($pass, $salt) = @ARGV;unless(defined($salt)) { $salt = MIME::Base64::encode(random_bytes(12), '');}for $i (1 .. 4999) { $pass = Digest::SHA::sha512($salt, $pass);}say "";print '$6$', $salt, '$', Digest::SHA::sha512_base64($salt, $pass), "\$\n";I'm trying to make a python function and a nodejs function compute the same hash. However, it seems like the binary that is outputted is different between nodejs crypto and python hashlib.
The python I'm using is:
hash = hashlib.sha512()hash.update(salt)hash.update(password.encode('utf8'))hash.digest()The node/coffeescript is:
crypto.createHash('sha512').update(salt, 'binary').update(password, 'utf8').digest()These lines should produce the same result, but for some reason they don't. Help?
So I'm developing a website using php, mysql and javascript, and also 'sha512' to encrypt passwords of members using the code :
$password = filter_input(INPUT_POST, 'p', FILTER_SANITIZE_STRING);$random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));$password = hash('sha512', $password . $random_salt);the p value is comming from :
function formhash(form) { var password = randomString(); var p = document.createElement("input"); form.appendChild(p); p.name = "p"; p.type = "hidden"; p.value = hex_sha512(password.value); password.value = ""; form.submit();} function randomString() { var text = ""; var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; for( var i=0; i < 9; i++ ) text += possible.charAt(Math.floor(Math.random() * possible.length)); return text;}My idea here is to reset user password by entering their email and generate random 8 characters then send it directly to their email.The problem I'm facing now is how to get the actual password (not encrypted) that has been generated so it can be automatically sent to the email of the member who requested to reset their password?
This question already has an answer here:
$pass="test"the above variable contains a password called test.I want to hash this password using sha512 md5 and salt how do i do that as ive found only benifits of salt and sha512,i allready know md5 encryption.please i need the solution as my system is vunerable
and please explain it with a code example because im still attached to md5
from what ive understood by your comments and answers ive got the following code
$pass="test";$hashed_pass= openssl_digest($pass, 'sha512');ok seems solid enough but what is [salt='']?does it generate a random salt string or something if so the how to implement it?
Please note that by viewing our site you agree to our use of cookies (see Privacy for details). You will only see this message once.