PDO login script returning false

Question

I've created a login script where I am simply trying to match the username and password that is passed through my login form, create a session and pass through session variables and redirect the user to a different page.

I'm using an OOP PDO approached style as this is the way forward and it is a lot simpler to code.

When registering a user I encrypt the password using the PHP crypt method. However when I try to login my statement is returned as false and to be fair I don't know what I am doing wrong, perhaps I'm decrypting the password incorrectly, I'm not sure.

When I say false I mean my if statement echo's

Invaild username or password. Try again

Any help or ideas greatly welcomed and appreciated, thank you in advance.

index.php

<form id="loginForm" method="POST" action="classes/class.Login.php">
<input type="text" id="username" name="username" placeholder="Username"/>
<input type="password" id="password" name="password" placeholder="Password" class="showpassword"/> 
<input type="submit" name="submit" value="Log in"/>

classes/class.Login.php

public function loginuser() {

 $username = $_POST['username'];
 $password = $_POST['password'];

 $stmt = $this->pdo->prepare("SELECT * FROM users WHERE username = :username AND password = :password LIMIT 1");
 $stmt->bindValue(":username", $username);
 $stmt->bindValue(":password", crypt($password));
 $stmt->execute();
 if ($stmt->fetch())
 {
    $_SESSION['authorized'] = true;
    $_SESSION['username'] = $username;
    header("Location: testloginrequired.php");
  }
  else
  {
    echo "Invaild username or password. Try again";
   }
}// end loginuser

Answer 1

As @Nambi suggested if you are going to use crypt() you will need to use the optional parameter Salt, otherwise it will return different results, that's why it's never matching.

echo crypt('foo');
echo crypt('foo');
echo crypt('foo');

returns:

$1$rnmZxKr0$V7lk8JZ0tV1Utb78hH0g.0
$1$v84YR6KA$Xl5QvouObIZqWvxEIQwO/.
$1$expSZHgb$HAZ9ydKmjQcmwLeLDxjO41

---

echo crypt('foo', 'bar');
echo crypt('foo', 'bar');
echo crypt('foo', 'bar');

returns:

ba4TuD1iozTxw
ba4TuD1iozTxw
ba4TuD1iozTxw

---

Obviously it would be good to obscure the salt instead of having a plain one or let it autogenerate if you want more control.

When registering the user you have to store the generated salt.
When checking the login, you get the salt, and use it with the user input password to crypt() it, and check if the crypted password with that salt matches the one in the database.

Notes: For security, it's obvious but just in case: generate a differente salt for each password, if you use the same salt, if one password is hacked then the hacker will know the salt for all the other passwords, making his life easier.

---

And as @Nabil suggested you better research a bit what encryption you will use, because later on will be pain in the a** to change it.

Personally I like blowfish

Avoid MD5 and SHA1, they were considered safe once, but it is not anymore as the technology evolved, even on the respective pages on the php documentation users warn newer users not to use them.

Answer 2

That is because crypt('something') returns different value each and every time.

make use of ripemd

<?php
echo hash('ripemd160', 'password');
?>

Answer 3

Try sha1() instead of crypt() if u r storing in mysql database