[SOLVED] Cant Login in my Hashed password but there's one user that can login

Issue

Halo there,

I have a problem of logging in my registered user, I’ve hashed the passwords and when I log in my form refuse, So I don’t really know whats the problem because the user I registered Directly with sql command can actually login below is my login script…

<?php
    include 'db_connect.php';
    include 'functions.php';
    sec_session_start(); // Our custom secure way of starting a php session. 

    if(isset($_POST['email'], $_POST['p'])) { 
        $email = $_POST['email'];
        $password = $_POST['p']; // The hashed password.
        if(login($email, $password, $mysqli) == true) {
            // Login success
            echo 'Success: You have been logged in!';
            echo '<a href="javascript:window.close();">Close window</a>';
        } else {
            // Login failed
            header('Location: ./login.php?error=1');
        }
    } else { 
        // The correct POST variables were not sent to this page.
        echo 'Invalid Request';
    }
?> 

And Below is my login function on the Function.php file

function login($email, $password, $mysqli) {

    if ($stmt = $mysqli->prepare(
        "SELECT id, username, password, salt 
         FROM members 
         WHERE email = ? 
         LIMIT 1"
    )) { 
        $stmt->bind_param('s', $email); 
        $stmt->execute(); // Execute the prepared query.
        $stmt->store_result();
        $stmt->bind_result($user_id, $username, $db_password, $salt); 
        $stmt->fetch();
        $password = hash('sha512', $password.$salt); // hash the password with the unique salt.

        if($stmt->num_rows == 1) {
            if(checkbrute($user_id, $mysqli) == true) { 
                return false;
            } else {
                if($db_password == $password) {
                    $ip_address = $_SERVER['REMOTE_ADDR']; 
                    $user_browser = $_SERVER['HTTP_USER_AGENT']; 

                    $user_id = preg_replace("/[^0-9]+/", "", $user_id); // XSS protection as we might print this value
                    $_SESSION['user_id'] = $user_id; 
                    $username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username); 
                    $_SESSION['username'] = $username;
                    $_SESSION['login_string'] = hash('sha512',  $password.$ip_address.$user_browser);
                    // Login successful.
                    return true;    
                } else {

                    $now = time();
                    $mysqli->query(
                        "INSERT INTO login_attempts (user_id, time) 
                         VALUES ('$user_id', '$now')"
                    );
                    return false;
                }
            }
        } else {
            // No user exists. 
            return false;
        }
    }
}

below is how I Register the user to the DB

<?php
    include 'db_connect.php';
    include 'functions.php';

    $password = $_POST['p']; 
    $username = $_POST['username']; 
    $email = $_POST['email']; 

    $random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));

    $password = hash('sha512', $password.$random_salt);


    if ($insert_stmt = $mysqli->prepare(
        "INSERT INTO members (username,email,password,salt) 
         VALUES (?, ?, ?, ?)"
    )) {    
        $insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt); 
        // Execute the prepared query.
        $insert_stmt->execute();
        echo 'Member Succesfully added to the Website list';
    } else {
        echo 'Error couldnt add the user, Try again';
    }
?>

Solution

I am guessing you have either randomely changed the password somehow, when you sign up—sha512( $password) and login should be the same in order to match it when quering the data—The $Salt is a bit confusing to?

    Login
    $_POST['password'] = stripslashes($_POST['password']);
    $password = mysql_real_escape_string(sha512($_POST['password']));
    Signup
    $_POST['password'] = stripslashes($_POST['password']);
    $password = mysql_real_escape_string(sha512($_POST['password']));

Answered By – Robin Dale Deatherage

Answer Checked By – Jay B. (BugsFixing Admin)

Leave a Reply

Your email address will not be published.