Login system [php + mysql]

Question

I am trying to "compare" the DB password with the password entered in the html form, but it is not working!

First, the password hash (register.php) was created with the "password_hash". by the way, work perfectly !!!

$conexao = new mysqli($servername, $username, $password, $dbname);
$login = isset($_POST['Login']) ? $_POST['Login'] : '';
$senha = isset($_POST['Senha']) ? $_POST['Senha'] : '';

$crypt_senha = password_hash($senha, PASSWORD_DEFAULT, ['cost' => 18]);
$sql_insert = "INSERT INTO usuarios (Login, Senha) VALUES ('$login','$crypt_senha')";
$conexao -> query($sql_insert) === 0;
echo '<script type = "text/javascript" > alert("data entered successfully!!!") </script>';

The problem is the file "login.php". is not "converting" the password entered with the password that is in the DB!

$conexao = new mysqli($servername, $username, $password, $dbname);
$login = isset($_POST['Login']) ? $_POST['Login'] : '';
$senha = isset($_POST['Senha']) ? $_POST['Senha'] : '';

$sql_auth = "SELECT Login, Senha FROM usuarios where Login = '$login' AND Senha = '$senha'";
$decrypt_senha_DB = password_verify($senha, $sql_auth);
$resultado_auth = $conexao -> query($decrypt_senha_DB);

if ($resultado_auth -> num_rows === 0) {
echo '<script type = "text/javascript" > alert("Incorrect user and/or password!") </script>';
exit();
}

else {
header('location: https://www.google.com.br/');
}

The conclusion is that the registered user can access the platform, even with the wrong password! How can i fix?

This is vulnerable to SQL injection, please read about parameterized queries. Also, you pass a password hash as the second argument to `password_verify`, not a query. Do the query first, and only filter on the username. — Ry-, Apr 05 '18 at 21:18
For sanity sake, try not to name variables with `crypt` in them when dealing with `hashed` content. — IncredibleHat, Apr 05 '18 at 21:46
@PauloEdson https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — CubicleSoft, Apr 06 '18 at 13:58
Writing a security-hardened login system is hard and few programmers are actually ready for the task. Here's a guide: https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication — CubicleSoft, Apr 06 '18 at 14:14
CubicleSoft, thank you for the link! will be very important to my project !!! — Paulo Edson, Apr 06 '18 at 15:55

score 1 · Answer 1 · answered Apr 05 '18 at 21:29

1

You have it wrong when you are trying to fetch the password that is actually "hashed" in the db.

$sql_auth = "SELECT Login, Senha FROM usuarios where Login = '$login' AND Senha = '$senha'";

The senha above cannot work because is hashed.

What you have to do is just run a SELECT with just the USER info. Bring that user. And with what comes back from that user, you compare the password in there with php's password_verify() function.

This means do something like: SELECT Senha FROM usuarios WHERE Login='$login' LIMIT 1;

Then you do password_verify($senha, <result-senha-from-db>);

That will let you know if the user/password is correct or not.

answered Apr 05 '18 at 21:29

MarkSkayff

1,224
9
12

I inserted the line: SELECT Senha FROM usuarios WHERE Login='$login' LIMIT 1; but in relation to the code: password_verify($senha, ); the term "result-senha-from-db" would be the hash written to the DB? thanks for answering! – Paulo Edson Apr 06 '18 at 00:38
I was a little lost with this argument === >>> result-senha-from-db – Paulo Edson Apr 06 '18 at 01:15
Yes, that's the hash you have in db. – MarkSkayff Apr 06 '18 at 21:03

score 0 · Answer 2 · answered Apr 06 '18 at 16:20

0

I already managed to solve the problem !!!

$conexao = new mysqli($servername, $username, $password, $dbname);
$login = isset($_POST['Login']) ? $_POST['Login'] : '';
$senha = isset($_POST['Senha']) ? $_POST['Senha'] : '';

$sql_auth = "SELECT Senha FROM usuarios where Login = '$login'";
$sql_auth_consulta = mysqli_query($conexao,$sql_auth);
while ($linha = mysqli_fetch_array($sql_auth_consulta)){
    $hash_DB = $linha['Senha'];
    $decrypt_password = password_verify($senha, $hash_DB);
}

if($decrypt_password <> TRUE){
    echo '<script type = "text/javascript" > alert("Incorrect user and/or password") </script>';
    exit();
}

else {
    header('location: https://www.google.com.br/');
}

I picked up the tips from you and joined with other tips from this forum! I compiled everything and it worked !!! thank you all!!!

answered Apr 06 '18 at 16:20

Paulo Edson

1
2

Ok, your welcome. Yes, you have it right now. Remember you are looking for just one result there, so the while() is not necesary. You can go and look directly with `$linha = mysqli_fetch_array($sql_auth_consulta)` – MarkSkayff Apr 06 '18 at 21:07
1

MarkSkayff, really the "while ()" is not necessary! I already removed it and continue to work very well !!! Thank you one more time!!! – Paulo Edson Apr 07 '18 at 22:22
Yes. The `while()` is used when you expect more than one result. When it's just one result what you want, you go pick it up directly. – MarkSkayff Apr 10 '18 at 18:40

Login system [php + mysql]

2 Answers2