{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 萌系小妹纸 的问题《Verify Login with Bcrypt Password》','https://www.manongdao.com/q-1249543.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a site where i'm programming a registration/login system with bcrypt. I have successfully inserted the registration details with the hashed password into the database. My problem is how to authenticate the user using this hashed password. Below are the codes i used:
Registration action:
<? ob_start();//Start buffer output ?>
<html>
<head>
<title>MySite: Registration Action</title>
</head>
<font face="arial">
<?php
session_start();
if(isset($_POST["captcha"])&&$_POST["captcha"]!=""&&$_SESSION["code"]==$_POST["captcha"])
{
//echo "Correct Code Entered";
//Do req stuff
$host="host"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="db"; // Database name
$tbl_name="tbl"; // Table name
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Get values from form
$myusername=mysql_real_escape_string($_POST['myusername']);
$mypassword=mysql_real_escape_string($_POST['mypassword']);
$myemail=mysql_real_escape_string($_POST['myemail']);
$mysecrquest=mysql_real_escape_string($_POST['mysecrquest']);
$mysecransw=mysql_real_escape_string($_POST['mysecransw']);
$mypassword_rep=mysql_real_escape_string($_POST['mypassword_rep']);
$myemail_rep=mysql_real_escape_string($_POST['myemail_rep']);
$mysecransw_rep=mysql_real_escape_string($_POST['mysecransw_rep']);
$salt = '$2a$18$' . substr(md5(uniqid(rand(), true)), 0, 22);
$encpass = crypt($mypassword, $salt);
//validate input
if (( !empty($myusername) && !empty($mypassword) && !empty($myemail) && !empty($mysecrquest) && !empty($mysecransw) )
&& (($mypassword_rep==$mypassword)&&($myemail_rep==$myemail)&&($mysecransw_rep==$mysecransw)))
{
// Insert data into mysql
$sql="INSERT INTO $tbl_name(username, salt, password, email, secrquest, secransw)VALUES('$myusername', '$salt', '$encpass', '$myemail', '$mysecrquest',
'$mysecransw')";
$result=mysql_query($sql);
// if successfully insert data into database, displays message "Successful".
if($result){
echo "<center><font color='green'>Congratulations! Your registration was Successful</font></center>";
echo "<BR>";
echo "<center><a href='somepage.php'>Somepage</a></center>";
}
}
else {
echo "<center><font color='red'>You have one or more invalid entries: Your Registration was not successful</font></center>";
echo "<br>";
echo "<center><a href='regpage.php'>Back</a></center>";
}
}
else {
echo "<center><font color='red'>Wrong Captcha: Your Registration was not successful</font></center>";
echo "<br>";
echo "<center><a href='regpage.php'>Back</a></center>";
}
?>
<?php
// close connection
//mysql_close();
?>
</font>
</html>
<? ob_flush();//Flush buffer output ?>
Login Action:
<? ob_start();//Start buffer output ?>
<html>
<head>
<title>MySite: Login Action</title>
</head>
<font face="arial">
<?php
session_start();
if(isset($_POST["captcha"])&&$_POST["captcha"]!=""&&$_SESSION["code"]==$_POST["captcha"])
{
// echo "<font color='green'>Correct Code Entered</font>";
//Do req stuff
$host="host"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="db"; // Database name
$tbl_name="tblx"; // Table name
$tbl_name2="tbl"; // Table name 2
// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Get values from form
$myusername=mysql_real_escape_string($_POST['myusername']);
$mypassword=mysql_real_escape_string($_POST['mypassword']);
// Validate the login
$sql2="SELECT * FROM $tbl_name2 WHERE username='$myusername'";
$result2=mysql_query($sql2);
$row=mysql_fetch_assoc($result2);
//$count=mysql_num_rows($result2);
// If result matched $myusername and $mypassword, table row must be 1 row
//if($count==1)
//$salt = '$2a$18$' . substr(md5(uniqid(rand(), true)), 0, 22);
$encpass = crypt($mypassword, $salt);
if ($encpass == $row['password'])
{
session_start();
$_SESSION['myusername'] = $myusername;
header ("Location: memberspage.php");
}
else {
echo "<center><font color='red'>Invalid Login Details. Not Logged In.</font></center>";
echo "<br>";
echo "<center><font color='red'>Please go back and try again.</font></center>";
echo "<br>";
echo "<center><a href='loginpage.php'>Back</a></center>";
}
}
else {
echo "<center><font color='red'>Wrong Captcha. Not Logged In.</font></center>";
echo "<br>";
echo "<center><font color='red'>Please go back and try again.</font></center>";
echo "<br>";
echo "<center><a href='loginpage.php'>Back</a></center>";
}
?>
<?php
// close connection
//mysql_close();
?>
</font>
</html>
<? ob_flush();//Flush buffer output ?>
Any help is appreciated. Thanks.
bcrypt uses a per row salt meaning you have to check whats there rather than generating a new salt and comparing.
for more info How do you use bcrypt for hashing passwords in PHP?
I suggest using PHP's built-in
password_xxx()functions. These are explicitly designed to make it easy to work with passwords hashed using bcrypt. You don't need to think of anything other than callingpassword_verify()to check a login attempt andpassword_hash()when creating an account. Easy.That's by far the easiest way of working with passwords in PHP.
Note that these functions are only available in the latest PHP version (v5.5). However there is a backward compatibility library you can download that makes them work exactly the same in all currently supported versions of PHP (ie v5.3 and 5.4).
Hope that helps.
With all given respect: Your code is full of errors, outdated stuff and in consequence very very unsecure. I would kindly recommend to use a professional, tested and clean login script and not going on further with your code.
$salt = '$2a$18$' . substr(md5(uniqid(rand(), true)), 0, 22);is totally outdated and not sure in any way anymore.$2a-algorithmns are "weak" algorithmns, even when salted.mysql_is outdated and should never be used.<font face="arial">is outdated since 1999, the rest of your code might also be from that time.Sooo, in consequence: Have a look on the official PHP password compat library here: https://github.com/ircmaxell/password_compat and build your login system with the sexy, simple functions. Or use an established login system, like this one here: https://github.com/panique/php-login