creating a blog but mysql php password issues

Question

I am creating a blog from scratch using mysql and php.

class.user.php code:

    <?php

class User{

private $db;
public function __construct($db){
$this->db = $db;
}


public function is_logged_in(){
if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true){
return true;
}   
}

public function create_hash($value)
{
return $hash = crypt($value, '$2a$12$'.substr(str_replace('+', '.', base64_encode(sha1(microtime(true), true))), 0, 22));
}

private function verify_hash($password,$hash)
{
return $hash == crypt($password, $hash);
}

private function get_user_hash($username){  

try {

//echo $this->create_hash('demo');

$stmt = $this->db->prepare('SELECT password FROM blog_members WHERE username = :username');
$stmt->execute(array('username' => $username));
$row = $stmt->fetch();
return $row['password'];

} catch(PDOException $e) {
echo '<p class="error">'.$e->getMessage().'</p>';
}
}

public function login($username,$password){ 

$hashed = $this->get_user_hash($username);
if($this->verify_hash($password,$hashed) == 1){
$_SESSION['loggedin'] = true;
return true;
}   
}
public function logout(){
session_destroy();
}
}

?>

Login.php that connects to class.user.php

    <?php
//include config
require_once('../includes/config.php');


//check if already logged in
if( $user->is_logged_in() ){ header('Location: index.php'); }
?>
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Admin Login</title>
<link rel="stylesheet" href="../style/normalize.css">
<link rel="stylesheet" href="../style/main.css">
</head>
<body>

<div id="login">

<?php

//process login form if submitted
if(isset($_POST['submit'])){

$username = trim($_POST['username']);
$password = trim($_POST['password']);
if($user->login($username,$password)){

//logged in return to index page
header('Location: index.php');
exit;

} else {
$message = '<p class="error">Wrong username or password</p>';
}

}//end if submit

if(isset($message)){ echo $message; }
?>

<form action="" method="post">
<p><label>Username</label><input type="text" name="username" value="" /></p>
<p><label>Password</label><input type="password" name="password" value="" /></p>
<p><label></label><input type="submit" name="submit" value="Login" /></p>
</form>

</div>
</body>
</html>

I created the table using phpmyAdmin but However I try to login, it says wrong username and password. I cant get it to work. Is there any other workaround or other method to do this?

Thanks

Answer 1

A couple of things...

Why re-invent the wheel?

Unless this is an exercise to gain knowledge, creating your own blog system is a bit extreme when there's plenty of well developed off the shelf solutions which will do what you want and more.

Back to your question...

When you create your user password for the account you need to store the salt in the database along with the hashed password. Then when you come to check the authentication you get the salt and the hashed password from the database. You then hash the submitted password with the existing salt and check it matches the hashed password in the database.

What it appears you're currently doing is getting the hashed password from the database and then comparing it to crypt($password, $db_password) - which basically means you're hashing the user submitted password with the existing hashed password in the db, this of course will never match.

Answer 2

Possible answer:

I recommend you re-read the documentation on crypt() , (they recommend using password_hash() instead of crypt() to begin with): http://us3.php.net/manual/en/function.crypt.php Also, as I understand it, including a time sensitive salt means that you have to have that same time in order to match the hash... if you are recording the creation date (as a timestamp) in the DB and you can be sure to pull that to re-create the hash then that could be very secure... otherwise, as I understand it, it will absolutely NOT work... remember a hash is meant to encrypt a specific value in a way that it is very difficult to find that value. But generating a new hash that matches the old hash is easy so long as you use the SAME specific value that originally created the hash... again as I understand it, including the SAME salt.

Comment about trim():

I have to back @WesleyMurch, it's definitely best not to modify the password... I have some experience with an edge case where I could see that using the default functionality of trim() on the password could be valuable. Under a very specific need &, so long as the users are made very aware that you will be modifying the password by removing the whitespace from the beginning or end of their passwords. I actually have a password that I accidentally included a space & hard return in... took a while to figure that one out (I was copying & pasting from a password manager). I also would have to support @TheBlueDog in his comment that my experience is likely to be not a very likely case. Most of the time, if your password didn't work because of un-intended white space you wouldn't know why and you'd reset your password, therefore side stepping the problem. In addition many people still don't use password managers and may not be routinely copying & pasting their passwords.

Again good luck!