PHP Developers Network
http://forums.devnetwork.net/

Help with secure login and registration
http://forums.devnetwork.net/viewtopic.php?f=34&t=134844
Page 1 of 1

Author:  bytephp [ Tue Mar 13, 2012 9:30 am ]
Post subject:  Help with secure login and registration

Hi,

I'm trying to get a secure login area to work using the tutorial on

I've got the registration page working, but can't seem to get the login page (login.php) to work. Any ideas how to fix? I get an error of Uninitialized string offset: 0 on line 45 of login.php which is the following bit of code if (PassHash::check_password($user['pass_hash'], $_POST['password'])) {


db-connection.php
Syntax: [ Download ] [ Hide ]
<?php

// setting variable for db connection
$host = "localhost";
$username = "root";
$password = "myPass";
$database = "myDatabase";

// connect to database
$conn = mysqli_connect("$host", "$username", "$password", "$database");
if (!$conn) {
    die("Could not connect: " . mysqli_error());
}

?>
 


login.php
Syntax: [ Download ] [ Hide ]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Login</title>
    </head>
    <body>
        <form name="login" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
            <fieldset>
                <legend>Login form</legend>
                <label for="user">Username:</label>
                <input type="text" name="user" id="user" />
                <label for="password">Password:</label>
                <input type="password" name="password" id="user" />
                <input type="submit" value="Login" />
            </fieldset>
        </form>
    </body>
</html>

<?php
require_once 'db-connection.php';
require ('PassHash.php');

// sanatise data function
function cleanInput($data, $conn) {
    if (get_magic_quotes_gpc()) {
        $data = stripslashes($data);
        $data = strip_tags($data);
        $data = mysqli_real_escape_string($conn, $data);
    } else {
        $data = strip_tags($data);
        $data = mysqli_real_escape_string($conn, $data);
    }
    return $data;
}

if ($_SERVER['REQUEST_METHOD'] == 'POST') {

// sanatise data
    $user = cleanInput($_POST['user'], $conn);
    $password = cleanInput($_POST['password'], $conn);
    $pass_hash = PassHash::hash($_POST['password'], $conn);
   
    if (PassHash::check_password($user['pass_hash'], $_POST['password'])) {
        $sql = "SELECT * FROM users WHERE user = '$user' and password = '$pass_hash'";
        $result = mysqli_query($conn, $sql);

        // check for user and password if match found
        $count = mysqli_num_rows($result);
        if ($count == 1) {
            $_SESSION['user'] = $user;
            $_SESSION['password'] = $pass_hash;
            header('Location: securepage.php');
        } else {
            echo "<p style='color: red;'>Incorrect user or password</p>";
        }
    }
} // <--- closes if server method POST
?>
 


PassHash.php
Syntax: [ Download ] [ Hide ]
<?php

class PassHash {  
 
    // blowfish  
    private static $algo = '$2a';  
 
    // cost parameter  
    private static $cost = '$10';  
 
    // mainly for internal use  
    public static function unique_salt() {  
        return substr(sha1(mt_rand()),0,22);  
    }  
 
    // this will be used to generate a hash  
    public static function hash($password) {  
 
        return crypt($password,  
                    self::$algo .  
                    self::$cost .  
                    '$' . self::unique_salt());  
 
    }  
 
    // this will be used to compare a password against a hash  
    public static function check_password($hash, $password) {  
 
        $full_salt = substr($hash, 0, 29);  
 
        $new_hash = crypt($password, $full_salt);  
 
        return ($hash == $new_hash);  
 
    }  
 
}
?>

 

Author:  Celauran [ Tue Mar 13, 2012 9:53 am ]
Post subject:  Re: Help with secure login and registration

You've defined $user as a string here
Syntax: [ Download ] [ Hide ]
$user = cleanInput($_POST['user'], $conn);

but then you're trying to use it as though it were an array here
Syntax: [ Download ] [ Hide ]
if (PassHash::check_password($user['pass_hash'], $_POST['password'])) {

Author:  bytephp [ Tue Mar 13, 2012 10:01 am ]
Post subject:  Re: Help with secure login and registration


Author:  Celauran [ Tue Mar 13, 2012 10:04 am ]
Post subject:  Re: Help with secure login and registration

The biggest question at this point is what $user['pass_hash'] is supposed to be and where it's supposed to come from. Currently it simply isn't defined anywhere.

On closer inspection, there seems to be something missing from the class. There's a function to randomly generate a salt, which is fine, but that salt is never returned to you, so you're going to have a hard time checking passwords.

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/