PDO Register and Login Password Matching
Question
Okay.. so to start off I only have Php 5.3 so I can't use bcrypt, I am not familiar with salt but an completely willing to do it if someone can help me out. I also would like to know if this script is bad or good for sql injections. My biggest problems is when I use something like crypt and try to get my passwords to match, it won't. I've been working on this for days and can't seem to find the right solution to my problem. the code is not done yet, but its able to run. I'm just doing this on wamp so i dunno if thats a problem? but i cant imagine it is.
REGISTER . PHP
if ((strlen($username)) < 6 || (preg_match("/[^\w-.]/", $username)) ) {
header('Location: Register.php?fail=1');
die();
}
if ((strlen($password)) < 8) {
header('Location: Register.php?fail=2');
die();
}
if(!filter_var($email, FILTER_VALIDATE_EMAIL)) {
header('Location: Register.php?fail=3');
die();
}
/*
TRIED METHODS
$salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM);
$salt = base64_encode($salt);
$salt = str_replace('+', '.', $salt);
$hash = crypt('rasmuslerdorf', '$2y$10$'.$salt.'$');
$password = $hash;
echo "<script>alert('$password');</script>";
$salt = '$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringfors';
$digest = crypt($password, $salt);
if (crypt($password, $digest) == $digest){
echo "<script>alert('logged in');</script>";
}else{
header('Location: Login.php?fail=3');
die();
}
*/
//PDO CONNECTION
function pdo_connect() {
try {
$db = new PDO("mysql:host=localhost;dbname=XXX", "XXX", "XXX");
return $db;
} catch (PDOException $e) {
//echo $e->getMessage();
//return false;
header('Location: Register.php?fail=6');
}
}
//CHECK IF USERNAME EXISTS
function usernameCheck($username) {
$con = pdo_connect();
$ustmt = $con->prepare("SELECT u_users FROM users WHERE u_users = :name");
$ustmt->bindParam(':name', $username);
$ustmt->execute();
if($ustmt->rowCount() > 0){
header('Location: Register.php?fail=4');
die();
}
$con = null;
}
echo usernameCheck($username);
//CHECK IF EMAIL EXISTS
function emailCheck($email) {
$con = pdo_connect();
$estmt = $con->prepare("SELECT u_email FROM users WHERE u_email = :name");
$estmt->bindParam(':name', $email);
$estmt->execute();
if($estmt->rowCount() > 0){
header('Location: Register.php?fail=5');
die();
}
$con = null;
}
echo emailCheck($email);
//INSERT EMAIL TO NEWSLETTER
function emailnewsletterCheck($email) {
$con = pdo_connect();
$nstmt = $con->prepare("SELECT n_email FROM newsletter WHERE n_email = :email");
$nstmt->bindParam(':email', $email);
$nstmt->execute();
if($nstmt->rowCount() < 1){
$addstmt = $con->prepare('INSERT INTO newsletter (n_email) VALUES (:email)');
$addstmt->bindParam(':email', $email);
$addstmt->execute();
}
$con = null;
}
echo emailnewsletterCheck($email);
//INSERT
function insert($username,$password,$email,$type) {
$con = pdo_connect();
$password = md5($password);
$istmt = $con->prepare('INSERT INTO users (u_users, u_private, u_email, u_type) VALUES (:username, :password, :email, :type)');
$istmt->execute(array(
':username' => $username,
':password' => $password,
':email' => $email,
':type' => $type
));
$con = null;
header('Location: Login.php?success=1');
}
echo insert($username,$password,$email,$type);
}//end submit
?>
<?php
$page_title = "NS : Web Development : Register";
$page_desc = "Register with us for great deals on website development.";
$services = 0;
include_once 'header.php';
?>
<script type="text/javascript">
// This function checks if the username field is at least 6 characters long.
function checkUsernameForLength(whatYouTyped) {
var fieldset = whatYouTyped.parentNode.parentNode.parentNode;
var txt = whatYouTyped.value;
if (txt.length > 5) {
$("span.hint").hide();
}
}
// If the password is at least 4 characters long
function checkPassword(whatYouTyped) {
var fieldset = whatYouTyped.parentNode.parentNode.parentNode;
var txt = whatYouTyped.value;
if (txt.length > 7) {
$("span.hint").hide();
}
}
// This function checks the email address blah@blah.blah
function checkEmail(whatYouTyped) {
var fieldset = whatYouTyped.parentNode.parentNode.parentNode;
var txt = whatYouTyped.value;
if (/^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$/.test(txt)) {
$("span.hint").hide();
}
}
// this part is for the form field hints to display
// only on the condition that the text input has focus.otherwise, it stays hidden.
function addLoadEvent(func) {
var oldonload = window.onload;
if (typeof window.onload != 'function') {
window.onload = func;
} else {
window.onload = function() {
oldonload();
func();
}
}
}
function prepareInputsForHints() {
var inputs = document.getElementsByTagName("input");
for (var i=0; i<inputs.length; i++){
inputs[i].onfocus = function () {
this.parentNode.getElementsByTagName("span")[0].style.display = "inline";
}
inputs[i].onblur = function () {
this.parentNode.getElementsByTagName("span")[0].style.display = "none";
}
}
}
addLoadEvent(prepareInputsForHints);
</script>
<div class="jumbotron">
<div class="container">
<h1>Register for <font color="fb1576">great</font> opportunities</h1>
<p>Get full quotes, package <font color="fb1576">deals</font>, news and updates on the latest themes and scripts, and even <font color="fb1576">win</font> free prizes<font color="fb1576">!</font>
</div>
</div>
<div class="container">
<!-- row of columns -->
<div class="row">
<?php
if ( isset($_GET['fail']) && $_GET['fail'] == 1 ){
echo "<div class='alert alert-danger'>Username must be at least 6 characters in length and can only contain characters matching (a-z) (A-Z) (0-9) and '_' Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 2 ){
echo "<div class='alert alert-danger'>Password must be at least 8 characters in length and cannot exceed 25. Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 3 ){
echo "<div class='alert alert-danger'>E-mail is not valid. Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 4 ){
echo "<div class='alert alert-danger'>Username you chose already exists. Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 5 ){
echo "<div class='alert alert-danger'>E-mail you entered is already in use. Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 6 ){
echo "<div class='alert alert-danger'>Something went wrong, we couldn't submit your registration. Please try again later. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
?>
<form name="basicform" id="basicform" method="POST">
<fieldset>
<div class="input-group">
<label for="username">Choose a Username:</label><br>
<input type="text" id="username" name="username" onkeyup="checkUsernameForLength(this);" required class="form-control" maxlength="25" pattern=".{6,}"/>
<span class="hint">Usernames must be a least 6 characters in length and cannot exceed 25. Characters must match (a-z) (A-Z) (0-9) and '_'</span>
</div>
</fieldset>
<fieldset>
<div class="input-group">
<label for="password">Enter a password:</label><br>
<input type="password" id="password" name="password" onkeyup="checkPassword(this);" required class="form-control" maxlength="25" pattern=".{7,}"/>
<span class="hint">The password can be any combination of <strong>characters</strong>, and must be at least 8 characters in length and cannot exceed 25.</span>
</div>
</fieldset>
<fieldset>
<div class="input-group">
<label for="email">Enter your email address:</label><br>
<input type="text" id="email" name="email" onkeyup="checkEmail(this);" required class="form-control" maxlength="30" />
<span class="hint">Please enter your real email address (ie: you@emailprovider.com)</span>
</div>
</fieldset>
<fieldset>
<label for="type">Pick your position of registration:</label><br>
<select name="type">
<option name="type" value="Client">I am a client looking for work to be done</option>
<option name="type" value="Employer">I am an employer looking for a potential hire</option>
<option name="type" value="Employee">I am an employee looking to be hired</option>
</select>
</fieldset>
<fieldset>
<button type="submit" class="btn btn-primary" name="submit" value="submit">Register Now</button>
</fieldset>
</form>
</div>
<!-- //row of columns -->
<?php
include_once 'footer.php';
?>
LOGIN . PHP
$username = $_POST['username'];
$password = $_POST['password'];
//before we even bother connecting to the db start validating
if ( (empty($username)) || (empty($password)) ) {
header('Location: Login.php?fail=1');
die();
}
if ( ((strlen($username)) >25) || ((strlen($password)) >25) ) {
header('Location: Login.php?fail=2');
die();
}
if ( (preg_match("/[^\w-.]/", $username)) ) {
header('Location: Login.php?fail=3');
die();
}
/*
TRIED METHODS
$salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM);
$salt = base64_encode($salt);
$salt = str_replace('+', '.', $salt);
$hash = crypt('rasmuslerdorf', '$2y$10$'.$salt.'$');
$password = $hash;
echo "<script>alert('$password');</script>";
$salt = '$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringfors';
$digest = crypt($password, $salt);
if (crypt($password, $digest) == $digest){
echo "<script>alert('logged in');</script>";
}else{
header('Location: Login.php?fail=3');
die();
}
*/
//PDO CONNECTION
function pdo_connect() {
try {
$db = new PDO("mysql:host=localhost;dbname=XXX", "XXX", "XXX");
return $db;
} catch (PDOException $e) {
//echo $e->getMessage();
//return false;
header('Location: Register.php?fail=6');
}
}
//CHECK IF USERNAME EXISTS
function checkLogin($username,$password) {
$con = pdo_connect();
//$getlogin = $con->query
$getlogin = $con->prepare("SELECT u_users,u_private FROM users WHERE u_users = :username AND u_private = :password");
$getlogin->bindValue(':username', $username, PDO::PARAM_STR);
$getlogin->bindValue(':password', $password, PDO::PARAM_STR);
$getlogin->execute();
if($getlogin->rowCount() > 0){
echo "<script>alert('yes');</script>";
}
$con = null;
}
echo checkLogin($username,$password);
echo "<script>alert('success');</script>";
}
?>
<?php
$page_title = "NS : Web Development : Register";
$page_desc = "Register with us for great deals on website development.";
$services = 0;
include_once 'header.php';
?>
<div class="jumbotron">
<div class="container">
<h1><font color="fb1576">Members</font> log in</h1>
<p> Not yet a member? <a href="Register.php"><font color="fb1576">Sign up today!</font></a>
</div>
</div>
<div class="container">
<?php
if ( isset($_GET['success']) && $_GET['success'] == 1 ){
echo "<div class='alert alert-success'>Registration successful. Please log in.</div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 1 ){
echo "<div class='alert alert-danger'>Username or Password cannot be left blank.</div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 2 ){
echo "<div class='alert alert-danger'>Sorry, this is not a valid Username or Password.</div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 3 ){
echo "<div class='alert alert-danger'>Username or Password incorrect, please try again.</div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 5 ){
echo "<div class='alert alert-danger'>E-mail you entered is already in use. Please try again. <a href='Register.php'><span class='glyphicon glyphicon-remove'></span> Close</a></div>";
}
if ( isset($_GET['fail']) && $_GET['fail'] == 6 ){
echo "<div class='alert alert-danger'>Something went wrong. Please try again later. </div>";
}
?>
<form class="form-signin" role="form" method="POST">
<h2 class="form-signin-heading">Please sign in</h2>
<p>
<input type="text" class="form-control" placeholder="Username" name="username" required autofocus>
</p>
<br>
<p>
<input type="password" class="form-control" placeholder="Password" name="password" required>
</p>
<label class="checkbox">
<input type="checkbox" value="remember-me"> Remember me
</label>
<button class="btn btn-lg btn-primary btn-block" type="submit" name="submit" value="submit">Sign in</button>
</form>
<?php
include_once 'footer.php';
?>
I REALLLLLYY need to get it so it is secure for my server on launch and can login a user safely.
1 answers
solution1
0 2014-03-07 20:52:26
With PHP version 5.3 you can and should use BCrypt.
For PHP version 5.5 and higher it is recommended to use the new password functions password_hash() and password_verify() :
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
For PHP version 5.3.7 and higher there exists a compatibility pack , so you can use the functions above in exactly the same way.
For PHP versions earlier than 5.3.7 you could use the compatibility pack and change the crypt parameter from "$2y$%02d$" to "$2a$%02d$" , this generates a BCrypt hash as well. It is the best you can do with older versions, the hashes will be compatible when you update to a newer PHP version.
When you want to verify the password, you cannot do this in the SQL statement directly. In a first step you have to get the stored password-hash from the database (with the username), then you can use this hash in the function password_verify(). The password_verify() function needs to extract the salt from the stored hash.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Hashed password register / login
Add password hash in pdo login
PHP PDO login Username and Password not found
Cant login with the right password in PHP PDO
Register & Login password hashing method the same but not working
How to use password_hash Register And Login
login.php, retrieving and matching password not work
Password is not matching for my PHP login form
how to use hash sha256 password for pdo Login php
PHP PDO how to hash password upon registration and then 'unhash' during login
Related Tags