Question
I've recently started to learn PHP, and was trying to create a secure Login following this guide http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL.
Everything seems to work fine for me apart from the login(). Which I tweaked a bit. I put some echos to try to pin point the error, it returns an error on the password compare IF:
The function returns : Login function error 1
The function login located in includes/functions.php :
https://stackoverflow.com/questions/22155584
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian $password = hash('sha512', $password . $salt);
if ($db_password == $password) {
echo "Password is correct!";
The sha512.js is from here pajhome.org. uk/crypt/md5/sha512 .html, and the form from the above mentioned WikiHow.
The connection isn't a problem has i use the same connection to insert into MySQL and it works.
Thanks for the attention given to my problem and if i didn't disclose enough info please advice.
EDIT: deleted a lot of code, as @SeanWM commented i shouldn't expect no one to go through all the code.
@Robert Rozas Thank you for the help. the passwords are indeed mismatching. The output is:
Login function error 1 c2d872cb4c6a1b3c22ce35fb9dc0dfca14aa6d48 vs c2d872cb4c6a1b3c22ce35fb9dc0dfca14aa6d48cc2e8c3dcf02c87a3dfb7e3fec2a098b932c11655960e43bb89af058220ff8d75c666fe57ef7206b74d5f9af
Please have a look at how the password is constructed:
It goes from the register form to .js:
// Add the new element to our form.
form.appendChild(p);
p.name = "p";
p.type = "hidden";
p.value = hex_sha512(password.value);
and then through php:
$password = filter_input(INPUT_POST, 'p', FILTER_SANITIZE_STRING);
// Create a random salt
$random_salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), TRUE));
// Create salted password
$password = hash('sha512', $password . $random_salt);
and then inserted into MySQL. If you could please point me again in the correct direction i would appreciate.
EDIT 2: Thanks to the input from @Second Rikudo it worked after removing the double hashing
But in light of the comments from Second Rikudo "sha512 is not secure" and @tadman "That tutorial is worryingly incomplete and uses hazardously bad practices" I've decided to revise the code utilizing https://github.com/ircmaxell/password_compat as advised by Second Rikudo.
Solution
Please correct me if I am mistaken, but you are hashing the password twice upon registering (once with JavaScript, and once with PHP), but when you login, you only hash once (with PHP).
As a sidenote, sha512 is not secure. Upgrade yourself to PHP5.5 to make use of password_hash() and other password functions.
If you cannot upgrade, see ircmaxell's library for forward compatibility with those functions (He is practically the one who added password_*() into PHP, so his library is good).
