2

I want to create a web page where a user introduces a login and password and he will be redirected to another web page.

The login and password are given by the admin, the password should be hashed. I tried to use a code that I found on the internet ( I have done some changes) but it won’t work for me (I think the reason is the hashed password) please tell me where is the fault.

The link for the code used: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

(for the moment I have inserted a row into the database contain login and password as mentioned in the example)

I tested my code with the password given in the example:

Login: login1 Password: 6ZaxN2Vzm9NUJT2y The code you need in order to be able to log in as this user is:

INSERT INTO enquete.Etablissement VALUES(1, 'test_user', login1, '00807432eae173f652f2064bdca1b61b290b52d40e429a7d295d76a71084aa96c0233b82f1feac45529e0726559645acaed6f3ae58a286b9f075916ebf66cacc', 'f9aab579fc1b41ed0c44fe4ecdbfcdb4cb99b9023abb241a6db833288f4eea3c02f76e0d35204a8695077dcf81932aa59006423976224be0390395bae152d4ef');

Login.html page:

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8 " />
    <title>Log In</title>
    <script type="text/JavaScript" src="./sha512.js"></script> 
    <script type="text/JavaScript" src="./forms.js"></script> 
</head>
<body>
    <?php 
        if(isset($_GET['error'])) { 
            echo 'Error Logging In!'; 
        } 
    ?> 
    <form action="process_login.php" method="post" name="login_form"> 
        Email: <input type="text" name="LoginEtab" />
        Password: <input type="text"  name="PwdEtab"    id="PwdEtab"/>
        <input type="button"   value="Login" onclick="formhash(this.form, this.form.PwdEtab);" /> 
    </form>
</body>

</html>

Forms.js page:

 function formhash(form, PwdEtab) {
  // Create a new element input, this will be our hashed password field.
  var p = document.createElement("input");

  // Add the new element to our form.
   form.appendChild(p);
   p.name = "p";
   p.type = "hidden";
  p.value = hex_sha512(PwdEtab.value);

    // Make sure the plaintext password doesn't get sent.
    p.value = "";

// Finally submit the form.
form.submit();
}

process_login.php page:

 <?php
 include 'db_connect.php';
 include 'functions.php';

sec_session_start(); // Our custom secure way of starting a PHP session.


 if (isset($_POST['LoginEtab'], $_POST['p'])) {
  $LoginEtab = $_POST['LoginEtab'];
  $PwdEtab = $_POST['p']; // The hashed password.

   if (login($LoginEtab, $PwdEtab, $mysqli) == true) 
 {
    // Login success
    header('Location: ./protected_page.html');
 } else {
    // Login failed
    header('Location: ./index.php?error=1');
}
} else {
  // The correct POST variables were not sent to this page.
   echo 'Invalid Request';

}
 ?>

functions.php page :

  <?php

   include 'psl-config.php';

   function sec_session_start() {
     $session_name = 'MyOwnsession';   // Set a custom session name
     $secure = SECURE;

     // This stops JavaScript being able to access the session id.
   $httponly = true;

     // Forces sessions to only use cookies.
      ini_set('session.use_only_cookies', 1);

     // Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
                $cookieParams["path"],
                $cookieParams["domain"],
                $secure,
                $httponly);

    // Sets the session name to the one set above.
     session_name($session_name);

     session_start();            // Start the PHP session
     session_regenerate_id();    // regenerated the session, delete the old one.
  }



 function login($LoginEtab, $PwdEtab, $mysqli) {

    // Using prepared statements means that SQL injection is not possible.
    if ($stmt = $mysqli->prepare("SELECT IDEtablissement , LoginEtab, PwdEtab, salt FROM etablissement WHERE LoginEtab = ? LIMIT 1"))
 {
       $stmt->bind_param('s', $LoginEtab);  // Bind "$email" to parameter.
       $stmt->execute();    // Execute the prepared query.
       $stmt->store_result();

       // get variables from result.
       $stmt->bind_result($db_IDEtablissement, $db_LoginEtab, $db_PwdEtab, $salt);
       $stmt->fetch();

         // hash the password with the unique salt.
         $PwdEtab = hash('sha512', $PwdEtab . $salt);
        if ($stmt->num_rows == 1) {
          // If the user exists we check if the account is locked
         // from too many login attempts
                 echo"text";
            // Check if the password in the database matches
            // the password the user submitted.
            if ($db_PwdEtab == $PwdEtab) {
                // Password is correct!
                // Get the user-agent string of the user.
                $user_browser = $_SERVER['HTTP_USER_AGENT'];
                // XSS protection as we might print this value
                $db_IDEtablissement = preg_replace("/[^0-9]+/", "", $db_IDEtablissement);
                $_SESSION['db_IDEtablissement'] = $db_IDEtablissement;

                // XSS protection as we might print this value
                $db_LoginEtab = preg_replace("/[^a-zA-Z0-9_\-]+/","",$db_LoginEtab);

                $_SESSION['db_LoginEtab'] = $db_LoginEtab;
                $_SESSION['login_string'] = hash('sha512',$PwdEtab .$user_browser);

                // Login successful.
                  return true;
    echo"false2";
            } else {
                // Password is not correct
                // We record this attempt in the database
                $now = time();
               echo"false1";


              }
         }
      } else {
        // No user exists.
        return false;
        echo"false";
        }

 }

 ?>

db_connect.php page

<?php
 include 'psl-config.php';   // Needed because functions.php is not included

 $mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);

?>

psl-config.php' page :

 <?php
 /**
* These are the database login details
  */
 define("HOST", "localhost");           // The host you want to connect to.
 define("USER", "root");            // The database username.
 define("PASSWORD", "");    // The database password.
 define("DATABASE", "enquete");     // The database name.
 define("SECURE", FALSE);

 ?>

Update: I am always redirected to the index page :header('Location: ./index.php?error=1');

and the appach log is :

[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice:  Constant HOST already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 5, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:5, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice:  Constant USER already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 6, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:6, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice:  Constant PASSWORD already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 7, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:7, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice:  Constant DATABASE already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 8, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:8, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Notice:  Constant SECURE already defined in C:\\wamp\\www\\loginSecurity\\psl-config.php on line 18, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP Stack trace:, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   1. {main}() C:\\wamp\\www\\loginSecurity\\process_login.php:0, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   2. include() C:\\wamp\\www\\loginSecurity\\process_login.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   3. include() C:\\wamp\\www\\loginSecurity\\functions.php:3, referer: http://localhost/loginSecurity/login.html
[Tue Mar 01 11:57:58 2016] [error] [client 127.0.0.1] PHP   4. define() C:\\wamp\\www\\loginSecurity\\psl-config.php:18, referer: http://localhost/loginSecurity/login.html

Update I found where was the problem :) I have to add to my code

 $PwdEtab = hash('sha512', $PwdEtab );

before the hash with salt in login function

Improve this question
2
  • Can you post the output and error logs from the test Commented Mar 1, 2016 at 10:46
  • php log is empty I just found the appach log Commented Mar 1, 2016 at 13:50

2 Answers 2

Reset to default
2

You are including the file psl-config.php twice, if you need, try include_once instead of include

****** EDIT ******

Let's make it work.

first, hash a new password:

include_once 'psl-config.php';

$user = 'admin';
$pass = '123';
$token = 'test';
$password = hash('sha512', $pass . $token);

$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
$stmt = $mysqli->prepare("UPDATE etablissement SET LoginEtab = '{$user}', PwdEtab = '{$password}', salt = '{$token}' WHERE IDEtablissement = 1");
$stmt->execute();

then, change your form:

<form action="process_login.php" method="post" name="login_form">
    Email: <input type="text" name="LoginEtab" value="admin"/>
    <br><br>
    Password: <input type="text" name="PwdEtab" id="PwdEtab" value="123"/>
    <br><br>
    <input type="submit" value="Login"/>
</form>

now change process_login.php:

<?php

include_once 'db_connect.php';
include_once 'functions.php';

sec_session_start(); // Our custom secure way of starting a PHP session.

if (isset($_POST['LoginEtab'])) { //<======CHANGE HERE

    $LoginEtab = $_POST['LoginEtab'];
    $PwdEtab = $_POST['PwdEtab']; // The hashed password. //<======AND HERE

    if (login($LoginEtab, $PwdEtab, $mysqli) == true) {
        // Login success
        header('Location: ./protected_page.html');
    } else {
        // Login failed
        header('Location: ./index.php?error=1');
    }
} else {
    // The correct POST variables were not sent to this page.
    echo 'Invalid Request';
}

and voilà.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

thank you I have added include_once but always my problem is that the password given and the password in the database are different
Look, I've tried your code and it works fine, including redirect to logged page. I think you don't need to hash the password on the view, try to control only on php, then you can remove form.js and sha512.js.To make a encrypted password, use hash('sha512', $anypass.$anytoken); and store the result and token to database.
why should I update my database ? I only want to compare the login and password given to those already exists in the database? I have removed form.js and worked only with php and added include once
You don't need update your password, but you need ensure that your db password was hashed correctly
1

Update I found where was the problem :) I have to add to my code

$PwdEtab = hash('sha512', $PwdEtab );

before the hash with salt in login function finally it works for me :)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.