I'm trying to get a secure login area to work using the tutorial on http://net.tutsplus.com/tutorials/php/u ... nt-page-2/
I've got the registration page working, but can't seem to get the login page (login.php) to work. Any ideas how to fix? I get an error of Uninitialized string offset: 0 on line 45 of login.php which is the following bit of code if (PassHash::check_password($user['pass_hash'], $_POST['password'])) {
db-connection.php
Code: Select all
<?php
// setting variable for db connection
$host = "localhost";
$username = "root";
$password = "myPass";
$database = "myDatabase";
// connect to database
$conn = mysqli_connect("$host", "$username", "$password", "$database");
if (!$conn) {
die("Could not connect: " . mysqli_error());
}
?>
Code: Select all
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login</title>
</head>
<body>
<form name="login" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
<fieldset>
<legend>Login form</legend>
<label for="user">Username:</label>
<input type="text" name="user" id="user" />
<label for="password">Password:</label>
<input type="password" name="password" id="user" />
<input type="submit" value="Login" />
</fieldset>
</form>
</body>
</html>
<?php
require_once 'db-connection.php';
require ('PassHash.php');
// sanatise data function
function cleanInput($data, $conn) {
if (get_magic_quotes_gpc()) {
$data = stripslashes($data);
$data = strip_tags($data);
$data = mysqli_real_escape_string($conn, $data);
} else {
$data = strip_tags($data);
$data = mysqli_real_escape_string($conn, $data);
}
return $data;
}
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// sanatise data
$user = cleanInput($_POST['user'], $conn);
$password = cleanInput($_POST['password'], $conn);
$pass_hash = PassHash::hash($_POST['password'], $conn);
if (PassHash::check_password($user['pass_hash'], $_POST['password'])) {
$sql = "SELECT * FROM users WHERE user = '$user' and password = '$pass_hash'";
$result = mysqli_query($conn, $sql);
// check for user and password if match found
$count = mysqli_num_rows($result);
if ($count == 1) {
$_SESSION['user'] = $user;
$_SESSION['password'] = $pass_hash;
header('Location: securepage.php');
} else {
echo "<p style='color: red;'>Incorrect user or password</p>";
}
}
} // <--- closes if server method POST
?>
Code: Select all
<?php
class PassHash {
// blowfish
private static $algo = '$2a';
// cost parameter
private static $cost = '$10';
// mainly for internal use
public static function unique_salt() {
return substr(sha1(mt_rand()),0,22);
}
// this will be used to generate a hash
public static function hash($password) {
return crypt($password,
self::$algo .
self::$cost .
'$' . self::unique_salt());
}
// this will be used to compare a password against a hash
public static function check_password($hash, $password) {
$full_salt = substr($hash, 0, 29);
$new_hash = crypt($password, $full_salt);
return ($hash == $new_hash);
}
}
?>