mysql - Cannot make a registration page on PHP using SHA512 encrypyion -
this question has answer here:
- how use bcrypt hashing passwords in php? 9 answers
i have small problem here on register and/or login page. can register, cannot login using newly registered account. may please ask advice guys?
execaddemp.php
<?php include ("./db_connect.php"); include ("./functions.php"); if(isset($_post['email'], $_post['username'], $_post['status'])) { $username = $_post['username']; $firstname = $_post['firstname']; $lastname = $_post['lastname']; $mi = $_post['mi']; $email = $_post['email']; $status = $_post['status']; if($result = mysqli_query($mysqli, "select * employee email='$email'")){ $row_count = mysqli_num_rows($result); //now display errors print ("email in use!<br>"); } $password = $_post['password']; $random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true)); $password = hash('sha512', $password.$random_salt); print $password; if ($insert_stmt = $mysqli->prepare("insert members (username, firstname, lastname, mi, status, email, password, salt) values (?, ?, ?, ?,?,?,?,?)")) { $insert_stmt->bind_param('ssssssss', $username, $firstname, $lastname, $mi, $status, $email, $password, $random_salt); // execute prepared query. $insert_stmt->execute(); } if(!$insert_stmt){ die("there's little problem: ".mysqli_error($mysqli)); } include("loading.php"); echo '<meta http-equiv="refresh" content="1;url=addemployee.php">'; //echo "<a href='adddivisions.php'>back</a>"; } else{ echo 'invalid request';} ?> functions.php
<?php function sec_session_start() { $session_name = 'sec_session_id'; // set custom session name $secure = false; // set true if using https. $httponly = true; // stops javascript being able access session id. ini_set('session.use_only_cookies', 1); // forces sessions use cookies. $cookieparams = session_get_cookie_params(); // gets current cookies params. session_set_cookie_params($cookieparams["lifetime"], $cookieparams["path"], $cookieparams["domain"], $secure, $httponly); session_name($session_name); // sets session name 1 set above. session_start(); // start php session session_regenerate_id(); // regenerated session, delete old one. } function login($email, $password, $mysqli) { // using prepared statements means sql injection not possible. if ($stmt = $mysqli->prepare("select id, username, password, salt members email = ? limit 1")) { $stmt->bind_param('s', $email); // bind "$email" parameter. $stmt->execute(); // execute prepared query. $stmt->store_result(); $stmt->bind_result($user_id, $username, $db_password, $salt); // variables result. $stmt->fetch(); $password = hash('sha512', $password.$salt); // hash password unique salt. if($stmt->num_rows == 1) { // if user exists // check if account locked many login attempts if(checkbrute($user_id, $mysqli) == true) { // account locked // send email user saying account locked return false; } else { if($db_password == $password) { // check if password in database matches password user submitted. // password correct! echo $password; $user_browser = $_server['http_user_agent']; // user-agent string of user. $user_id = preg_replace("/[^0-9]+/", "", $user_id); // xss protection might print value $_session['user_id'] = $user_id; $username = preg_replace("/[^a-za-z0-9_\-]+/", "", $username); // xss protection might print value $_session['username'] = $username; $_session['login_string'] = hash('sha512', $password.$user_browser); // login successful. return true; } else { // password not correct // record attempt in database $now = time(); $mysqli->query("insert login_attempts (user_id, time) values ('$user_id', '$now')"); return false; } } } else { // no user exists. return false; } } } function checkbrute($user_id, $mysqli) { // timestamp of current time $now = time(); // login attempts counted past 2 hours. $valid_attempts = $now - (2 * 60 * 60); if ($stmt = $mysqli->prepare("select time login_attempts user_id = ? , time > '$valid_attempts'")) { $stmt->bind_param('i', $user_id); // execute prepared query. $stmt->execute(); $stmt->store_result(); // if there has been more 5 failed logins if($stmt->num_rows > 5) { return true; } else { return false; } } } function login_check($mysqli) { // check if session variables set if(isset($_session['user_id'], $_session['username'], $_session['login_string'])) { $user_id = $_session['user_id']; $login_string = $_session['login_string']; $username = $_session['username']; $user_browser = $_server['http_user_agent']; // user-agent string of user. if ($stmt = $mysqli->prepare("select password members id = ? limit 1")) { $stmt->bind_param('i', $user_id); // bind "$user_id" parameter. $stmt->execute(); // execute prepared query. $stmt->store_result(); if($stmt->num_rows == 1) { // if user exists $stmt->bind_result($password); // variables result. $stmt->fetch(); $login_check = hash('sha512', $password.$user_browser); if($login_check == $login_string) { // logged in!!!! return true; } else { // not logged in return false; } } else { // not logged in return false; } } else { // not logged in return false; } } else { // not logged in return false; } } ?> forms.js
function formhash(form, password) { // create new element input, out hashed password field. var p = document.createelement("input"); // add new element our form. form.appendchild(p); p.name = "p"; p.type = "hidden" p.value = hex_sha512(password.value); // make sure plaintext password doesn't sent. password.value = ""; // submit form. form.submit(); }
sha512 hash algoritm, not encryption. know answer might considered off topic, should use default php password class instead. since you're not on php 5.5 yet can use this: https://gist.github.com/marcoarment/1053158
usage example: // in registration or password-change form: $hash_for_user = bcrypt::hash($_post['password']); // in login form: $is_correct = bcrypt::check($_post['password'], $stored_hash_for_user);
Comments
Post a Comment