0

I write a login page and a checking page in php. On my local machine it work, but on the server it doesn't (if it matter I'm on Windows and the server is on Linux).

Here is the code in the checking page:

$user = $_POST['userName'];
$pass = $_POST['pass'];

$saltSQL = 'SELECT salt FROM agents WHERE name="' . $user . '"';
$saltResult = mysql_fetch_array(mysql_query($saltSQL));
$salt = $saltResult['salt'];

$passToCheck = hash('sha512', $salt + $pass);

$rowAgent = mysql_fetch_array(mysql_query('SELECT * FROM agents WHERE name ="' . strtolower($user) . '"'));

if ($rowAgent['password'] != $passToCheck) {
    header("location:mainLogin.php");
    exit;
}

header("location:selectamount_new.php");

The strange thing is that when I enter something with letters to the password input the system let my in (no matter what), and when I enter just numbers the system will check the password correctly and will not let me in (will redirect me to mainLogin.php and not to selectamount_new.php).

Again on my local machine it's works just fine, the problem is that when I push the code to Linux machine (AWS) with Git.

Improve this question
4
  • Are the character encodings the same, on your local machine and on the server? Commented Sep 7, 2015 at 7:03
  • The SHA-* family is not appropriate to hash passwords, because the algorithm is too fast. Have a look at the functions password_hash() and password_verify(). Commented Sep 7, 2015 at 7:42
  • @martinstoeckli thanks! but sadly I currently can't use them, I work on a system with PHP version 5.3. Fortunately It's temporary, we build a new back-end and the PHP version will be newer, so I'll use them in the future.. Commented Sep 7, 2015 at 8:02
  • @Nir - But you can, there is a compatibility pack for PHP 5.3.7 and later. As soon as you switch to a newer PHP version you can just remove the file from your project. Commented Sep 7, 2015 at 11:28

1 Answer 1

Reset to default
4

The problem is at $salt + $pass. This is not concatenation, is + operator, like in math. So string + string = nothing, that means every password will match. number + string = number, that is why with numbers this works. You should use here the . operator, that means the concatenation.

Anyway, if you don't proof against SQL injection, anyone will be able to login in your site, regardless of this fix.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks, It worked! I'm new to PHP and didn't notice that.. \: And I'm taking care of the SQL Injection part, the system is not public yet..
@Nir: Also get rid of SHA-512 and use something secure like bcrypt, scrypt or pdkdf2.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.