带有哈希密码的代码php无法正常工作

Question

I want to create a web page where a user introduces a login and password and he will be redirected to another web page.

The login and password are given by the admin, the password should be hashed. I tried to use a code that I found on the internet ( I have done some changes) but it won't work for me (I think the reason is the hashed password) please tell me where is the fault.

The link for the code used: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

(for the moment I have inserted a row into the database contain login and password as mentioned in the example)

I tested my code with the password given in the example:

Login: login1 Password: 6ZaxN2Vzm9NUJT2y The code you need in order to be able to log in as this user is:

INSERT INTO enquete . Etablissement VALUES(1, 'test_user', login1, '00807432eae173f652f2064bdca1b61b290b52d40e429a7d295d76a71084aa96c0233b82f1feac45529e0726559645acaed6f3ae58a286b9f075916ebf66cacc', 'f9aab579fc1b41ed0c44fe4ecdbfcdb4cb99b9023abb241a6db833288f4eea3c02f76e0d35204a8695077dcf81932aa59006423976224be0390395bae152d4ef');

Login.html page:

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8 " />
    <title>Log In</title>
    <script type="text/JavaScript" src="./sha512.js"></script> 
    <script type="text/JavaScript" src="./forms.js"></script> 
</head>
<body>
    <?php 
        if(isset($_GET['error'])) { 
            echo 'Error Logging In!'; 
        } 
    ?> 
    <form action="process_login.php" method="post" name="login_form"> 
        Email: <input type="text" name="LoginEtab" />
        Password: <input type="text"  name="PwdEtab"    id="PwdEtab"/>
        <input type="button"   value="Login" onclick="formhash(this.form, this.form.PwdEtab);" /> 
    </form>
</body>

</html>

Forms.js page:

 function formhash(form, PwdEtab) {
  // Create a new element input, this will be our hashed password field.
  var p = document.createElement("input");

  // Add the new element to our form.
   form.appendChild(p);
   p.name = "p";
   p.type = "hidden";
  p.value = hex_sha512(PwdEtab.value);

    // Make sure the plaintext password doesn't get sent.
    p.value = "";

// Finally submit the form.
form.submit();
}

process_login.php page:

 <?php
 include 'db_connect.php';
 include 'functions.php';

sec_session_start(); // Our custom secure way of starting a PHP session.


 if (isset($_POST['LoginEtab'], $_POST['p'])) {
  $LoginEtab = $_POST['LoginEtab'];
  $PwdEtab = $_POST['p']; // The hashed password.

   if (login($LoginEtab, $PwdEtab, $mysqli) == true) 
 {
    // Login success
    header('Location: ./protected_page.html');
 } else {
    // Login failed
    header('Location: ./index.php?error=1');
}
} else {
  // The correct POST variables were not sent to this page.
   echo 'Invalid Request';

}
 ?>

functions.php page :

  <?php

   include 'psl-config.php';

   function sec_session_start() {
     $session_name = 'MyOwnsession';   // Set a custom session name
     $secure = SECURE;

     // This stops JavaScript being able to access the session id.
   $httponly = true;

     // Forces sessions to only use cookies.
      ini_set('session.use_only_cookies', 1);

     // Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
                $cookieParams["path"],
                $cookieParams["domain"],
                $secure,
                $httponly);

    // Sets the session name to the one set above.
     session_name($session_name);

     session_start();            // Start the PHP session
     session_regenerate_id();    // regenerated the session, delete the old one.
  }



 function login($LoginEtab, $PwdEtab, $mysqli) {

    // Using prepared statements means that SQL injection is not possible.
    if ($stmt = $mysqli->prepare("SELECT IDEtablissement , LoginEtab, PwdEtab, salt FROM etablissement WHERE LoginEtab = ? LIMIT 1"))
 {
       $stmt->bind_param('s', $LoginEtab);  // Bind "$email" to parameter.
       $stmt->execute();    // Execute the prepared query.
       $stmt->store_result();

       // get variables from result.
       $stmt->bind_result($db_IDEtablissement, $db_LoginEtab, $db_PwdEtab, $salt);
       $stmt->fetch();

         // hash the password with the unique salt.
         $PwdEtab = hash('sha512', $PwdEtab . $salt);
        if ($stmt->num_rows == 1) {
          // If the user exists we check if the account is locked
         // from too many login attempts
                 echo"text";
            // Check if the password in the database matches
            // the password the user submitted.
            if ($db_PwdEtab == $PwdEtab) {
                // Password is correct!
                // Get the user-agent string of the user.
                $user_browser = $_SERVER['HTTP_USER_AGENT'];
                // XSS protection as we might print this value
                $db_IDEtablissement = preg_replace("/[^0-9]+/", "", $db_IDEtablissement);
                $_SESSION['db_IDEtablissement'] = $db_IDEtablissement;

                // XSS protection as we might print this value
                $db_LoginEtab = preg_replace("/[^a-zA-Z0-9_\-]+/","",$db_LoginEtab);

                $_SESSION['db_LoginEtab'] = $db_LoginEtab;
                $_SESSION['login_string'] = hash('sha512',$PwdEtab .$user_browser);

                // Login successful.
                  return true;
    echo"false2";
            } else {
                // Password is not correct
                // We record this attempt in the database
                $now = time();
               echo"false1";


              }
         }
      } else {
        // No user exists.
        return false;
        echo"false";
        }

 }

 ?>

db_connect.php page

<?php
 include 'psl-config.php';   // Needed because functions.php is not included

 $mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);

?>

psl-config.php' page :

 <?php
 /**
* These are the database login details
  */
 define("HOST", "localhost");           // The host you want to connect to.
 define("USER", "root");            // The database username.
 define("PASSWORD", "");    // The database password.
 define("DATABASE", "enquete");     // The database name.
 define("SECURE", FALSE);

 ?>

Update: I am always redirected to the index page :header('Location: ./index.php?error=1');

and the appach log is :

[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice:  Constant HOST already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 5, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:5, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice:  Constant USER already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 6, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:6, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice:  Constant PASSWORD already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 7, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:7, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice:  Constant DATABASE already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 8, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:8, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice:  Constant SECURE already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 18, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:18, referer: http://localhost/loginSecurity/login.html

Update I found where was the problem :) I have to add to my code

 $PwdEtab = hash('sha512', $PwdEtab );

before the hash with salt in login function

Answer 1

You are including the file psl-config.php twice, if you need, try include_once instead of include

****** EDIT ******

Let's make it work.

first, hash a new password:

include_once 'psl-config.php';

$user = 'admin';
$pass = '123';
$token = 'test';
$password = hash('sha512', $pass . $token);

$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
$stmt = $mysqli->prepare("UPDATE etablissement SET LoginEtab = '{$user}', PwdEtab = '{$password}', salt = '{$token}' WHERE IDEtablissement = 1");
$stmt->execute();

then, change your form:

<form action="process_login.php" method="post" name="login_form">
    Email: <input type="text" name="LoginEtab" value="admin"/>
    <br><br>
    Password: <input type="text" name="PwdEtab" id="PwdEtab" value="123"/>
    <br><br>
    <input type="submit" value="Login"/>
</form>

now change process_login.php :

<?php

include_once 'db_connect.php';
include_once 'functions.php';

sec_session_start(); // Our custom secure way of starting a PHP session.

if (isset($_POST['LoginEtab'])) { //<======CHANGE HERE

    $LoginEtab = $_POST['LoginEtab'];
    $PwdEtab = $_POST['PwdEtab']; // The hashed password. //<======AND HERE

    if (login($LoginEtab, $PwdEtab, $mysqli) == true) {
        // Login success
        header('Location: ./protected_page.html');
    } else {
        // Login failed
        header('Location: ./index.php?error=1');
    }
} else {
    // The correct POST variables were not sent to this page.
    echo 'Invalid Request';
}

and voilà.

Answer 2

Update I found where was the problem :) I have to add to my code

$PwdEtab = hash('sha512', $PwdEtab );

before the hash with salt in login function finally it works for me :)