Help with secure login and registration

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
bytephp
Forum Newbie
Posts: 13
Joined: Tue Feb 28, 2012 1:36 pm

Help with secure login and registration

Post by bytephp »

Hi,

I'm trying to get a secure login area to work using the tutorial on http://net.tutsplus.com/tutorials/php/u ... nt-page-2/

I've got the registration page working, but can't seem to get the login page (login.php) to work. Any ideas how to fix? I get an error of Uninitialized string offset: 0 on line 45 of login.php which is the following bit of code if (PassHash::check_password($user['pass_hash'], $_POST['password'])) {


db-connection.php

Code: Select all

<?php

// setting variable for db connection
$host = "localhost";
$username = "root";
$password = "myPass";
$database = "myDatabase";

// connect to database
$conn = mysqli_connect("$host", "$username", "$password", "$database");
if (!$conn) {
    die("Could not connect: " . mysqli_error());
}

?>
login.php

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Login</title>
    </head>
    <body>
        <form name="login" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
            <fieldset>
                <legend>Login form</legend>
                <label for="user">Username:</label>
                <input type="text" name="user" id="user" />
                <label for="password">Password:</label>
                <input type="password" name="password" id="user" />
                <input type="submit" value="Login" />
            </fieldset>
        </form>
    </body>
</html>

<?php
require_once 'db-connection.php';
require ('PassHash.php');

// sanatise data function
function cleanInput($data, $conn) {
    if (get_magic_quotes_gpc()) {
        $data = stripslashes($data);
        $data = strip_tags($data);
        $data = mysqli_real_escape_string($conn, $data);
    } else {
        $data = strip_tags($data);
        $data = mysqli_real_escape_string($conn, $data);
    }
    return $data;
}

if ($_SERVER['REQUEST_METHOD'] == 'POST') {

// sanatise data
    $user = cleanInput($_POST['user'], $conn);
    $password = cleanInput($_POST['password'], $conn);
    $pass_hash = PassHash::hash($_POST['password'], $conn);
    
    if (PassHash::check_password($user['pass_hash'], $_POST['password'])) { 
        $sql = "SELECT * FROM users WHERE user = '$user' and password = '$pass_hash'";
        $result = mysqli_query($conn, $sql);

        // check for user and password if match found
        $count = mysqli_num_rows($result);
        if ($count == 1) {
            $_SESSION['user'] = $user;
            $_SESSION['password'] = $pass_hash;
            header('Location: securepage.php');
        } else {
            echo "<p style='color: red;'>Incorrect user or password</p>";
        }
    }
} // <--- closes if server method POST
?>
PassHash.php

Code: Select all

<?php

class PassHash {  
  
    // blowfish  
    private static $algo = '$2a';  
  
    // cost parameter  
    private static $cost = '$10';  
  
    // mainly for internal use  
    public static function unique_salt() {  
        return substr(sha1(mt_rand()),0,22);  
    }  
  
    // this will be used to generate a hash  
    public static function hash($password) {  
  
        return crypt($password,  
                    self::$algo .  
                    self::$cost .  
                    '$' . self::unique_salt());  
  
    }  
  
    // this will be used to compare a password against a hash  
    public static function check_password($hash, $password) {  
  
        $full_salt = substr($hash, 0, 29);  
  
        $new_hash = crypt($password, $full_salt);  
  
        return ($hash == $new_hash);  
  
    }  
  
} 
?>

User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Help with secure login and registration

Post by Celauran »

You've defined $user as a string here

Code: Select all

$user = cleanInput($_POST['user'], $conn);
but then you're trying to use it as though it were an array here

Code: Select all

if (PassHash::check_password($user['pass_hash'], $_POST['password'])) {
bytephp
Forum Newbie
Posts: 13
Joined: Tue Feb 28, 2012 1:36 pm

Re: Help with secure login and registration

Post by bytephp »

Celauran wrote:You've defined $user as a string here

Code: Select all

$user = cleanInput($_POST['user'], $conn);
but then you're trying to use it as though it were an array here

Code: Select all

if (PassHash::check_password($user['pass_hash'], $_POST['password'])) {
Hi Celauran,

Ah I see, thanks. So how would I fix this as I'll need to run username and password through the CleanInput function to stop MySQL injections? I'm quite new to PHP so apologies if its an easy fix.

Thanks for the help.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Help with secure login and registration

Post by Celauran »

The biggest question at this point is what $user['pass_hash'] is supposed to be and where it's supposed to come from. Currently it simply isn't defined anywhere.

On closer inspection, there seems to be something missing from the class. There's a function to randomly generate a salt, which is fine, but that salt is never returned to you, so you're going to have a hard time checking passwords.
Post Reply