Page 1 of 1

Help with secure login and registration

Posted: Tue Mar 13, 2012 9:30 am
by bytephp
Hi,

I'm trying to get a secure login area to work using the tutorial on http://net.tutsplus.com/tutorials/php/u ... nt-page-2/

I've got the registration page working, but can't seem to get the login page (login.php) to work. Any ideas how to fix? I get an error of Uninitialized string offset: 0 on line 45 of login.php which is the following bit of code if (PassHash::check_password($user['pass_hash'], $_POST['password'])) {


db-connection.php

Code: Select all

<?php

// setting variable for db connection
$host = "localhost";
$username = "root";
$password = "myPass";
$database = "myDatabase";

// connect to database
$conn = mysqli_connect("$host", "$username", "$password", "$database");
if (!$conn) {
    die("Could not connect: " . mysqli_error());
}

?>
login.php

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Login</title>
    </head>
    <body>
        <form name="login" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
            <fieldset>
                <legend>Login form</legend>
                <label for="user">Username:</label>
                <input type="text" name="user" id="user" />
                <label for="password">Password:</label>
                <input type="password" name="password" id="user" />
                <input type="submit" value="Login" />
            </fieldset>
        </form>
    </body>
</html>

<?php
require_once 'db-connection.php';
require ('PassHash.php');

// sanatise data function
function cleanInput($data, $conn) {
    if (get_magic_quotes_gpc()) {
        $data = stripslashes($data);
        $data = strip_tags($data);
        $data = mysqli_real_escape_string($conn, $data);
    } else {
        $data = strip_tags($data);
        $data = mysqli_real_escape_string($conn, $data);
    }
    return $data;
}

if ($_SERVER['REQUEST_METHOD'] == 'POST') {

// sanatise data
    $user = cleanInput($_POST['user'], $conn);
    $password = cleanInput($_POST['password'], $conn);
    $pass_hash = PassHash::hash($_POST['password'], $conn);
    
    if (PassHash::check_password($user['pass_hash'], $_POST['password'])) { 
        $sql = "SELECT * FROM users WHERE user = '$user' and password = '$pass_hash'";
        $result = mysqli_query($conn, $sql);

        // check for user and password if match found
        $count = mysqli_num_rows($result);
        if ($count == 1) {
            $_SESSION['user'] = $user;
            $_SESSION['password'] = $pass_hash;
            header('Location: securepage.php');
        } else {
            echo "<p style='color: red;'>Incorrect user or password</p>";
        }
    }
} // <--- closes if server method POST
?>
PassHash.php

Code: Select all

<?php

class PassHash {  
  
    // blowfish  
    private static $algo = '$2a';  
  
    // cost parameter  
    private static $cost = '$10';  
  
    // mainly for internal use  
    public static function unique_salt() {  
        return substr(sha1(mt_rand()),0,22);  
    }  
  
    // this will be used to generate a hash  
    public static function hash($password) {  
  
        return crypt($password,  
                    self::$algo .  
                    self::$cost .  
                    '$' . self::unique_salt());  
  
    }  
  
    // this will be used to compare a password against a hash  
    public static function check_password($hash, $password) {  
  
        $full_salt = substr($hash, 0, 29);  
  
        $new_hash = crypt($password, $full_salt);  
  
        return ($hash == $new_hash);  
  
    }  
  
} 
?>


Re: Help with secure login and registration

Posted: Tue Mar 13, 2012 9:53 am
by Celauran
You've defined $user as a string here

Code: Select all

$user = cleanInput($_POST['user'], $conn);
but then you're trying to use it as though it were an array here

Code: Select all

if (PassHash::check_password($user['pass_hash'], $_POST['password'])) {

Re: Help with secure login and registration

Posted: Tue Mar 13, 2012 10:01 am
by bytephp
Celauran wrote:You've defined $user as a string here

Code: Select all

$user = cleanInput($_POST['user'], $conn);
but then you're trying to use it as though it were an array here

Code: Select all

if (PassHash::check_password($user['pass_hash'], $_POST['password'])) {
Hi Celauran,

Ah I see, thanks. So how would I fix this as I'll need to run username and password through the CleanInput function to stop MySQL injections? I'm quite new to PHP so apologies if its an easy fix.

Thanks for the help.

Re: Help with secure login and registration

Posted: Tue Mar 13, 2012 10:04 am
by Celauran
The biggest question at this point is what $user['pass_hash'] is supposed to be and where it's supposed to come from. Currently it simply isn't defined anywhere.

On closer inspection, there seems to be something missing from the class. There's a function to randomly generate a salt, which is fine, but that salt is never returned to you, so you're going to have a hard time checking passwords.