PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Tue Dec 11, 2018 9:47 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Tue Mar 13, 2012 9:30 am 
Offline
Forum Newbie

Joined: Tue Feb 28, 2012 2:36 pm
Posts: 13
Hi,

I'm trying to get a secure login area to work using the tutorial on http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/comment-page-2/

I've got the registration page working, but can't seem to get the login page (login.php) to work. Any ideas how to fix? I get an error of Uninitialized string offset: 0 on line 45 of login.php which is the following bit of code if (PassHash::check_password($user['pass_hash'], $_POST['password'])) {


db-connection.php
Syntax: [ Download ] [ Hide ]
<?php

// setting variable for db connection
$host = "localhost";
$username = "root";
$password = "myPass";
$database = "myDatabase";

// connect to database
$conn = mysqli_connect("$host", "$username", "$password", "$database");
if (!$conn) {
    die("Could not connect: " . mysqli_error());
}

?>
 


login.php
Syntax: [ Download ] [ Hide ]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Login</title>
    </head>
    <body>
        <form name="login" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
            <fieldset>
                <legend>Login form</legend>
                <label for="user">Username:</label>
                <input type="text" name="user" id="user" />
                <label for="password">Password:</label>
                <input type="password" name="password" id="user" />
                <input type="submit" value="Login" />
            </fieldset>
        </form>
    </body>
</html>

<?php
require_once 'db-connection.php';
require ('PassHash.php');

// sanatise data function
function cleanInput($data, $conn) {
    if (get_magic_quotes_gpc()) {
        $data = stripslashes($data);
        $data = strip_tags($data);
        $data = mysqli_real_escape_string($conn, $data);
    } else {
        $data = strip_tags($data);
        $data = mysqli_real_escape_string($conn, $data);
    }
    return $data;
}

if ($_SERVER['REQUEST_METHOD'] == 'POST') {

// sanatise data
    $user = cleanInput($_POST['user'], $conn);
    $password = cleanInput($_POST['password'], $conn);
    $pass_hash = PassHash::hash($_POST['password'], $conn);
   
    if (PassHash::check_password($user['pass_hash'], $_POST['password'])) {
        $sql = "SELECT * FROM users WHERE user = '$user' and password = '$pass_hash'";
        $result = mysqli_query($conn, $sql);

        // check for user and password if match found
        $count = mysqli_num_rows($result);
        if ($count == 1) {
            $_SESSION['user'] = $user;
            $_SESSION['password'] = $pass_hash;
            header('Location: securepage.php');
        } else {
            echo "<p style='color: red;'>Incorrect user or password</p>";
        }
    }
} // <--- closes if server method POST
?>
 


PassHash.php
Syntax: [ Download ] [ Hide ]
<?php

class PassHash {  
 
    // blowfish  
    private static $algo = '$2a';  
 
    // cost parameter  
    private static $cost = '$10';  
 
    // mainly for internal use  
    public static function unique_salt() {  
        return substr(sha1(mt_rand()),0,22);  
    }  
 
    // this will be used to generate a hash  
    public static function hash($password) {  
 
        return crypt($password,  
                    self::$algo .  
                    self::$cost .  
                    '$' . self::unique_salt());  
 
    }  
 
    // this will be used to compare a password against a hash  
    public static function check_password($hash, $password) {  
 
        $full_salt = substr($hash, 0, 29);  
 
        $new_hash = crypt($password, $full_salt);  
 
        return ($hash == $new_hash);  
 
    }  
 
}
?>

 


Top
 Profile  
 
PostPosted: Tue Mar 13, 2012 9:53 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
You've defined $user as a string here
Syntax: [ Download ] [ Hide ]
$user = cleanInput($_POST['user'], $conn);

but then you're trying to use it as though it were an array here
Syntax: [ Download ] [ Hide ]
if (PassHash::check_password($user['pass_hash'], $_POST['password'])) {

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Tue Mar 13, 2012 10:01 am 
Offline
Forum Newbie

Joined: Tue Feb 28, 2012 2:36 pm
Posts: 13
Celauran wrote:
You've defined $user as a string here
Syntax: [ Download ] [ Hide ]
$user = cleanInput($_POST['user'], $conn);

but then you're trying to use it as though it were an array here
Syntax: [ Download ] [ Hide ]
if (PassHash::check_password($user['pass_hash'], $_POST['password'])) {


Hi Celauran,

Ah I see, thanks. So how would I fix this as I'll need to run username and password through the CleanInput function to stop MySQL injections? I'm quite new to PHP so apologies if its an easy fix.

Thanks for the help.


Top
 Profile  
 
PostPosted: Tue Mar 13, 2012 10:04 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
The biggest question at this point is what $user['pass_hash'] is supposed to be and where it's supposed to come from. Currently it simply isn't defined anywhere.

On closer inspection, there seems to be something missing from the class. There's a function to randomly generate a salt, which is fine, but that salt is never returned to you, so you're going to have a hard time checking passwords.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group