Jump to content
Larry Ullman's Book Forums

Password_Hash Rather Than Sha1 In Chapter 18 Example


Recommended Posts

<?php # Script 18.8 - login.php
// This is the login page for the site.
require ('includes/config.inc.php'); 
$page_title = 'Login';
include ('includes/header.html');

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
	require (MYSQL);
	
	// Validate the email address:
	if (!empty($_POST['email'])) {
		$e = mysqli_real_escape_string ($dbc, $_POST['email']);
	} else {
		$e = FALSE;
		echo '<p class="error">You forgot to enter your email address!</p>';
	}
	
	// Validate the password:
	if (!empty($_POST['pass'])) {
		$p = mysqli_real_escape_string ($dbc, $_POST['pass']);
	} else {
		$p = FALSE;
		echo '<p class="error">You forgot to enter your password!</p>';
	}
	
	if ($e && $p) { // If everything's OK.

		include('includes/lib/password.php');
		
		// Query the database:
		$q = "SELECT user_id, first_name, user_level FROM users WHERE (email='$e' AND pass='"  .  password_hash($p, PASSWORD_BCRYPT) .  "') AND active IS NULL";		
		$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));
		
		if (@mysqli_num_rows($r) == 1) { // A match was made.

			// Register the values:
			$_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC); 
			mysqli_free_result($r);
			mysqli_close($dbc);
							
			// Redirect the user:
			$url = BASE_URL . 'index1.php'; // Define the URL.
			ob_end_clean(); // Delete the buffer.
			header("Location: $url");
			exit(); // Quit the script.
				
		} else { // No match was made.
			echo '<p class="error">Either the email address and password entered do not match those on file or you have not yet activated your account.</p>';
		}
		
	} else { // If everything wasn't OK.
		echo '<p class="error">Please try again.</p>';
	}
	
	mysqli_close($dbc);

} // End of SUBMIT conditional.
?>

<h1>Login</h1>
<p>Your browser must allow cookies in order to log in.</p>
<form action="login.php" method="post">
	<fieldset>
	<p><b>Email Address:</b> <input type="text" name="email" size="20" maxlength="60" /></p>
	<p><b>Password:</b> <input type="password" name="pass" size="20" maxlength="20" /></p>
	<div align="center"><input type="submit" name="submit" value="Login" /></div>
	</fieldset>
</form>

<?php include ('includes/footer.html'); ?>
include('includes/lib/password.php');

			// Add the user to the database:
			$q = "INSERT INTO users (email, pass, first_name, last_name, active, registration_date) VALUES ('$e', '"  .  password_hash($p, PASSWORD_BCRYPT) .  "', '$fn', '$ln', '$a', NOW() )";
			$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));

I am trying to use the password_hash encryption technique for the Ch 18 example rather than SHA1.  I was able to successfully register via changing the registration query (see second script, which includes 'lib/password.php' due to my version of Php).  However, when I try to login (see top script), it indicates my password doesn't match what's on file.  Is it possible something needs changed in the login's validation?  Or have I possibly missed something else?  Any help would be greatly appreciated.

Link to comment
Share on other sites

It's great that you're switching to the password hashing library. But password verification cannot be done within the query now. Instead, you'll  need to use password_verify() to verify the password. 

Link to comment
Share on other sites

<?php # Script 18.8 - login.php
// This is the login page for the site.
require ('includes/config.inc.php'); 
$page_title = 'Login';
include ('includes/header.php');

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
	require (MYSQL);
	
	// Validate the email address:
	if (!empty($_POST['email'])) {
		$e = mysqli_real_escape_string ($dbc, $_POST['email']);
	} else {
		$e = FALSE;
		echo '<p class="error">You forgot to enter your email address!</p>';
	}
	
	// Validate the password:
	if (!empty($_POST['pass'])) {
		$p = mysqli_real_escape_string ($dbc, $_POST['pass']);
	} else {
		$p = FALSE;
		echo '<p class="error">You forgot to enter your password!</p>';
	}
	
	if ($e && $p) { // If everything's OK.


         include('includes/lib/password.php');
		 $hash=password_hash($p, PASSWORD_BCRYPT);
		 
		if (password_verify($pass, $hash)) { // Correct!


		// Query the database:
		$q = "SELECT user_id, first_name, user_level FROM users WHERE (email='$e' AND pass='$p') AND active IS NULL";		
		$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc)); 
		
		}
		
		if (@mysqli_num_rows($r) == 1) { // A match was made.

			// Register the values:
			$_SESSION = mysqli_fetch_array ($r, MYSQLI_ASSOC); 
			mysqli_free_result($r);
			mysqli_close($dbc); 
							
			// Redirect the user:
			$url = BASE_URL . 'index2014.php'; // Define the URL.
			ob_end_clean(); // Delete the buffer.
			header("Location: $url");
			exit(); // Quit the script. 
			
				
		} else { // No match was made.
			echo '<p class="error">Either the email address and password entered do not match those on file or you have not yet activated your account.</p>';
		} 
		
	} else { // If everything wasn't OK.
		echo '<p class="error">Please try again.</p>';
	}
	
	mysqli_close($dbc);

} // End of SUBMIT conditional.
?>

<h1>Login</h1>
<p>Your browser must allow cookies in order to log in.</p>
<form action="login.php" method="post">
	<fieldset>
	<p><b>Email Address:</b> <input type="text" name="email" size="20" maxlength="60" /></p>
	<p><b>Password:</b> <input type="password" name="pass" size="20" maxlength="20" /></p>
	<div align="center"><input type="submit" name="submit" value="Login" /></div>
	</fieldset>
</form>

<?php include ('includes/footer.php'); ?>

Thank you for your response!  I've read back through the applicable sections of both the Effortless E-Commerce 2nd and Php & MySQL 4th Edition, along with the php manual and believe I have the syntax for password_verify correct.  However, I am still getting the response "E-mail or password do match what's on file..."  Could it be a misplaced } ?  Code is included.  Thanks for your help.

Link to comment
Share on other sites

// Query the database:
		$q = "SELECT * FROM users WHERE email='$e' AND active IS NULL";		
		$r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc)); 
		
		}

		include('includes/lib/password.php');
		 $hash=password_hash($p, PASSWORD_BCRYPT);
		 
		if (password_verify($pass, $hash)) { // Correct!

Thought I had this figured out.  The logic in the previous response (though it included the password_verify) was incorrect.  This modified excerpt of the script allows login (by checking for e-mail) but is not checking password.  Any suggestions would be appreciated.

Link to comment
Share on other sites

This second bit of code is essentially what you should be doing: first select the user ID, password, and other information, using the email address (if active). Then provide that stored password to the password_verify() function, comparing with the just submitted password.

Link to comment
Share on other sites

 Share

×
×
  • Create New...