Need help - password hashing with sha 256

Codes here !

Moderators: egami, macek, gesf

Post Reply
dylfs
New php-forum User
New php-forum User
Posts: 3
Joined: Mon Apr 01, 2019 3:57 am

Mon Apr 01, 2019 4:06 am

Currently working my way through a Dynamic Web assignment in which I'm creating a user register and user login page. The passwords needs to be stored within the database using sha 2 or sha 3.

I've managed to get the registration form to store the passwords into the database hashedwith the following code:

Code: Select all


$hashed    = hash('sha256', $password);

$sql = "INSERT INTO vipno (username, password) VALUES ( '$username','$hashed')";

What I'm having problems with is matching the password up to the hashed password within the databse, code is as follows:

Code: Select all


$username = $_POST['username'];

$password = $_POST['password']; 

$hashed = hash('sha256', $password);

$sql = "SELECT * FROM vipno WHERE username='$username' AND password='$hashed' LIMIT 1";

Just a bit unsure of where I'm going wrong, any help would be appriciated.

chorn
php-forum Fan User
php-forum Fan User
Posts: 601
Joined: Fri Apr 01, 2016 2:18 am

Mon Apr 01, 2019 5:20 am

Your code is incomplete to test. Also you are lackign a definitive error description. Here's a short working example

Code: Select all

<?php

$user = 'test';
$pass = 'test123';
$hash = hash('sha256', 'test123');

$pdo = new PDO('sqlite::memory:', '', '');
$pdo->query('create table users(user text, password, text)');

$insert = $pdo->prepare('insert into users(user, password) values(?, ?)');
$insert->execute([$user, $hash]);

$fetch = $pdo->prepare('select user, password from users where user = ? and password = ?');
$fetch->execute([$user, $hash]);
print_r($fetch->fetchAll());
Alos you should consider using Prepared Statements. And why do you even use SHA? there's password_hash() function with cryptographic strength.

dylfs
New php-forum User
New php-forum User
Posts: 3
Joined: Mon Apr 01, 2019 3:57 am

Mon Apr 01, 2019 5:42 am

chorn wrote:
Mon Apr 01, 2019 5:20 am

Alos you should consider using Prepared Statements. And why do you even use SHA? there's password_hash() function with cryptographic strength.
reason for using sha is that it's a college assignment and that's what it's asking for
Passwords should be stored and transmitted securely using a current industry standard (e.g. hashing with sha-2 or sha-3)

Teaching on the course has been non existant. they show code on the board, explain what it does and then move on. So I'm not really sure what's going on with the code you've linked. My table is already created, my php is just inserting everything from the registration form directly into the relevent fields in the table.

problem I seem to be having is with the following code on the login page

Code: Select all

$sql = "SELECT * FROM vipno WHERE username='$username' AND password='$hashed' LIMIT 1"; 
if password = $password, I can log into the page with passwords that arn't hashed. if password = $hashed, nothing works.



Registration form:

Code: Select all

<main>
	<div class="container"> 
		<form name ="myForm" class="box" action="registerscript.php" method="post" onsubmit="return validateForm()">
			<h1>VIP Register</h1>
			<input type="text" name="username" placeholder="Username" required>
			<input type="text" name="password" placeholder="Password" required>
			<input type="text" name="name" placeholder="Name" required>
			<input type="text" name="vipnumber" placeholder="VIP Number" required>
			<input type="text" name="email" placeholder="Email" required>
			<input type="text" name="mobileno" placeholder="Mobile Number" required>
			<input type="submit" name="submit" value="Submit">
		</form>
	</div>
</main>


register php script code:

Code: Select all

<?php

// Attempt MySQL server connection.with default setting (user 'root' with no password) 
$link = mysqli_connect("localhost", "root", "", "rockinrochester");
 
// Checks connection
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}
 
// Escape user inputs for security
$username = mysqli_real_escape_string($link, $_REQUEST['username']);
$password = mysqli_real_escape_string($link, $_REQUEST['password']);
$name = mysqli_real_escape_string($link, $_REQUEST['name']);
$vipNo = mysqli_real_escape_string($link, $_REQUEST['vipnumber']);
$email = mysqli_real_escape_string($link, $_REQUEST['email']);
$mobile = mysqli_real_escape_string($link, $_REQUEST['mobileno']);
$hashed    = hash('sha256', $password);
 
// Attempts to  insert form into database. 
$sql = "INSERT INTO vipno (username, password, name, vipnumber, email, mobileno) VALUES ( '$username','$hashed', '$name', '$vipNo','$email', '$mobile')";

if(mysqli_query($link, $sql)){
   header('Location: registered.php'); // if it works relocated person to registered.html
} else{
    echo "ERROR: Could not able to execute $sql. " . mysqli_error($link); // if it fails it prints an error message
}
 
// Close connection
mysqli_close($link);

?>



login page:

Code: Select all


<?php

$username = "root"; // username for database
$password = ""; // password for database
$hostname = "localhost"; // host of database
$db = "rockinrochester"; // name of database

$conn = mysqli_connect($hostname, $username, $password, $db) //connects to database, with hostname username password and database name

or die ("Unable to connect to MySQL");

echo "Connected to MySQL<br>"; // prints out connected to MySQL

if(mysqli_connect_errno())
	{
		echo "Failed to connect to MySQL: " . mysqli_connect_error(); // error message if it doesn't connect
	}

echo "Connected to Db<br>"; // prints conected to Db when connected 

$username = $_POST['username']; // stores username as a variable

$password = $_POST['password']; // stores password as a variable 

$hashed = hash('sha256', $password);


$sql = "SELECT * FROM vipno WHERE username='$username' AND password='$hashed' LIMIT 1"; 



$res = mysqli_query($conn,$sql);
if (mysqli_num_rows($res) == 1) { // if a username and password match run this code
	echo "Login Successful."; // prints out login sucessfull
			session_start(); //starts a session
			$_SESSION["username"] = $username; // sets the variable username to the name they logged in with 
			echo "test";
	header('Location: logon.php'); // relocates them to the member section once logged in. 
exit();
} else {

	//header('Location: viplogin.php'); // sends user to login page again if the login is wrong
	echo "wrong password";
}

mysqli_close($conn); // closes connection

?>

chorn
php-forum Fan User
php-forum Fan User
Posts: 601
Joined: Fri Apr 01, 2016 2:18 am

Mon Apr 01, 2019 6:06 am

if password = $password, I can log into the page with passwords that arn't hashed.
So the password you store in the database is just not hashed, you have to verify your hasing process, have a look at all variables with var_dump().

dylfs
New php-forum User
New php-forum User
Posts: 3
Joined: Mon Apr 01, 2019 3:57 am

Mon Apr 01, 2019 7:43 am

Changed my php slightly to using:

Code: Select all

 $hashed    = password_hash($password, PASSWORD_DEFAULT); 
It's now storing passwords in my database as hashed strings.

I'm just having problems with it on the login page. I'm not quite sure how to go about pulling the password stored into the database out and match it against the user input password.

Code: Select all

 $password = $_POST['password']; // stores password as a variable 

chorn
php-forum Fan User
php-forum Fan User
Posts: 601
Joined: Fri Apr 01, 2016 2:18 am

Mon Apr 01, 2019 10:25 pm

Code: Select all

$query = $pdo->prepare('select passwordhash from users where user = ?');
$query->execute([$username]);
$user = $query->fetch();

if(password_verify($password, $user['passwordhash'])){ OK... }

Post Reply