php - Hashing password in register and login do not match -
this question has answer here:
i've register form allow user enter password , hash password using crypt
in register form work , password hashed , secure in database when come login password not match , system not log in
anyone can me ???
hashing password in register.php
//crypt password require_once('include/blowfish.php'); $bcrypt = new bcrypt(4); $hash = $bcrypt->hash($pass1); echo $hash; //************insert members's input database**************************// $query = mysql_query("insert members(user_name, first_name, last_name, governorate, district, village, birth_date, email_address, specialization, password, registered_date ) values('$username', '$firstname', '$lastname', '$governorate', '$district', '$village', '$bdate', '$email', '$specialization', '$hash', now())") or die(mysql_error());
hashing password in login.php
$sql=mysql_query( "select user_id, email_address, first_name, user_name members email_address='$email'and password= '$pass' limit 1") or die("error in members table"); $login_check = mysql_num_rows($sql); if($login_check > 0) { $row = mysql_fetch_array($sql); $row_pass = $row['password']; //***********for hashing password***************************// require_once('include/blowfish.php'); $bcrypt = new bcrypt(4); if($bcrypt->verify($pass, $row_pass)) { $id = $row['user_id']; $_session['user_id'] = $id; $firstname = $row['first_name']; $_session['first_name']= $firstname; $email = $row['email_address']; $_session['email_address']= $email; $username = $row['user_name']; $_session['user_name']= $username; mysql_query("update members set last_log_date=now() user_id='$id'"); //$message = "correct email , passworddd!!"; header("location: profile.php"); // exit(); }//close if }//close if else { $message = "incorrect email or password!!"; //exit(); }
it doesn't work because in 1-st snippet save $hash members.password.
while in second snippet check real password input. need modify hash first:
$bcrypt = new bcrypt(4); $hash = $bcrypt->hash($pass); $query = sprintf("select user_id, email_address, first_name, user_name members email_address='%s'and password= '%s'", mysql_real_escape_string($email), mysql_real_escape_string(hash)); $sql=mysql_query( $query) or die("error in members table"); $login_check = mysql_num_rows($sql); if($login_check > 0) { ...
also code vulnerable sql injection , uses deprecated mysql_* functions.
Comments
Post a Comment