I am using PHPASS to store password encrypted and compare when login.
here is the code
ob_start();
$userName = $password = "";
$userNameErr = $passwordErr = $loginErr = "";
$hasher = new PasswordHash(8, false);
if (isset($_POST['subEmployee'])) {
if (empty($_POST['user_name'])) {
$userNameErr = "User name is required";
} else {
$userName = check_input($_POST['user_name']);
if (!preg_match("/^[0-9_a-zA-Z]*$/", $userName)) {
$userNameErr = "Only letters, numbers and '_' allowed";
}
}
if (empty($_POST['password'])) {
$passwordErr = "Password is required";
}else{
$password = check_input($_POST['password']);
}
$active = 1;
$loginUser = $db->prepare("SELECT password FROM users WHERE user_name=? AND activity=?");
$loginUser->bind_param('si', $userName, $active);
if ($loginUser->execute()) {
$results = $loginUser->get_result();
if ($results->num_rows == 1) {
$row = $results->fetch_object();
$stored_hash = "*";
$stored_hash = $row->password;
$check = $hasher->CheckPassword($password, $stored_hash);
if ($check) {
$_SESSION['name'] = $row->first_name;
$_SESSION['userId'] = $row->id;
$_SESSION['user'] = 1;
print_r($_SESSION);
header("Location:?pid=4");
} elseif (!empty($_POST['user_name']) && !empty($_POST['password'])) {
$loginErr = "'Invalid Login Information'";
}
}
}
}
so far it always give the same message 'Invalid Login Information' I have made the registration form that store my password like this.
$hasher = new PasswordHash(8, false);
$hash = md5(rand(0, 1000));
if (empty($_POST['password'])) {
$error ['passwordErr'] = "Password is required";
} elseif (strlen($_POST['password']) < 8) {
$error ['passwordErr'] = "<span class='notAllowed'>Chose password with at last eight characters</span>";
} elseif (strlen($_POST['password']) > 72) {
$error ['passwordErr'] = "<span class='notAllowed'>Password max 72 characters</span>";
} elseif ($_POST['password'] !== $_POST['confirm']) {
$error ['passwordErr'] = "Password don't matching";
} else {
$password = $hasher->HashPassword($password);
}
when I checked my database the password seems hashed to me and the user name is there and everything is alright
but still getting this message as 'Invalid Login Information'.
does this two lines is right
$loginUser = $db->prepare("SELECT password FROM users WHERE user_name=? AND activity=?");
$loginUser->bind_param('si', $userName, $active);
does the login code OK.
I try this too
Update I updated my code
if (isset($_POST['subEmployee'])) {
$error=array();
$hash_cost_log2 = 8;
$hash_portable = FALSE;
$hasher = new PasswordHash($hash_cost_log2, $hash_portable);
if (empty($_POST['user_name'])) {
$userNameErr = "User name is required";
} else {
$userName = check_input($_POST['user_name']);
if (!preg_match("/^[0-9_a-zA-Z]*$/", $userName)) {
$userNameErr = "Only letters, numbers and '_' allowed";
}
}
if (empty($_POST['password'])) {
$passwordErr = "Password is required";
} else {
$password = $_POST['password'];
}
$active = 1;
$loginUser = $db->prepare("SELECT password FROM hired_person_info WHERE user_name=? AND activity=?");
$loginUser->bind_param('si', $userName, $active);
if ($loginUser->execute()) {
$results = $loginUser->get_result();
if ($results->num_rows == 1) {
$row = $results->fetch_object();
$stored_hash = "*";
$stored_hash = $row->password;
$check = $hasher->CheckPassword($password, $stored_hash);
if ($check) {
$_SESSION['name'] = $row->first_name;
$_SESSION['userId'] = $row->id;
$_SESSION['user'] = 1;
print_r($_SESSION);
header("Location:?pid=4");
} elseif (!empty($_POST['user_name']) && !empty($_POST['password'])) {
$loginErr = "'Invalid Login Information'";
}
} else {
$loginErr = "'We didn't find any users'";
}
}
}
add this from the manual of PHPass
$hash_cost_log2 = 8;
$hash_portable = FALSE;
$hasher = new PasswordHash($hash_cost_log2, $hash_portable);
still no luck can somebody tell me where am mistaking here
Edit
this is my check_input()
code
function check_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
and I am using PHP 5.3.29
Thanks