php - Encryption sha512 algorithm Different values -

-

so have been using login , register script 3 projects , worked great. current project creating problems. generated password doesnt match 1 in db , hence couldnt login.

the register page given below

<?php include_once 'includes/register.inc.php'; include_once 'includes/functions.php'; ?>  <html>     <head>         <meta charset="utf-8">         <title>secure login: registration form</title>         <script type="text/javascript" src="js/sha512.js"></script>          <script type="text/javascript" src="js/forms.js"></script>         <link rel="stylesheet" href="styles/main.css" />     </head>     <body>          <?php         if (!empty($error_msg)) {             echo $error_msg;         }         ?>          <form action="<?php echo esc_url($_server['php_self']); ?>"                  method="post"                  name="registration_form">             username: <input type='text'                  name='username'                  id='username' /><br>             email: <input type="text" name="email" id="email" /><br>             password: <input type="password"                              name="password"                               id="password"/><br>             confirm password: <input type="password"                                       name="confirmpwd"                                       id="confirmpwd" /><br>             <input type="button"                     value="register"                     onclick="return regformhash(this.form,                                    this.form.username,                                    this.form.email,                                    this.form.password,                                    this.form.confirmpwd);" />          </form>         <p>return <a href="index.php">login page</a>.</p>     </body> </html>

register.inc.php page given below

<?php include_once 'db_connect.php'; include_once 'psl-config.php';  $error_msg = "";  if (isset($_post['username'], $_post['email'], $_post['p'])) {     // sanitize , validate data passed in     $username = filter_input(input_post, 'username', filter_sanitize_string);     $email = filter_input(input_post, 'email', filter_sanitize_email);     $email = filter_var($email, filter_validate_email);     if (!filter_var($email, filter_validate_email)) {         // not valid email         $error_msg .= '<p class="error">the email address entered not valid</p>';     }      $password = filter_input(input_post, 'p', filter_sanitize_string);     if (strlen($password) != 128) {         // hashed pwd should 128 characters long.         // if it's not, odd has happened         $error_msg .= '<p class="error">invalid password configuration.</p>';     }      // username validity , password validity have been checked client side.     // should should adequate nobody gains advantage     // breaking these rules.     //      $prep_stmt = "select license_num doctor_details email = ? limit 1";     $stmt = $mysqli->prepare($prep_stmt);     // check existing email       if ($stmt) {         $stmt->bind_param('s', $email);         $stmt->execute();         $stmt->store_result();          if ($stmt->num_rows == 1) {             // user email address exists             $error_msg .= '<p class="error">a user email address exists.</p>';                         $stmt->close();         }                 $stmt->close();     } else {         $error_msg .= '<p class="error">database error line 39</p>';                 $stmt->close();     }      // check existing username     $prep_stmt = "select license_num doctor_details username = ? limit 1";     $stmt = $mysqli->prepare($prep_stmt);      if ($stmt) {         $stmt->bind_param('s', $username);         $stmt->execute();         $stmt->store_result();                  if ($stmt->num_rows == 1) {                         // user username exists                         $error_msg .= '<p class="error">a user username exists</p>';                         $stmt->close();                 }                 $stmt->close();         } else {                 $error_msg .= '<p class="error">database error line 55</p>';                 $stmt->close();         }      // todo:      // we'll have account situation user doesn't have     // rights registration, checking type of user attempting     // perform operation.      if (empty($error_msg)) {         // create random salt         //$random_salt = hash('sha512', uniqid(openssl_random_pseudo_bytes(16), true)); // did not work         $random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true));          // create salted password          $password = hash('sha512', $password . $random_salt);          // insert new user database          if ($insert_stmt = $mysqli->prepare("insert doctor_details (username, email, password, salt) values (?, ?, ?, ?)")) {             $insert_stmt->bind_param('ssss', $username, $email, $password, $random_salt);             // execute prepared query.             if (! $insert_stmt->execute()) {                 header('location: ../error.php?err=registration failure: insert');             }         }         header('location: ./register_success.php');     } } ?>

the registering work fine.. , data gets entered onto db. illustration have created test record email = test@testing.com password = pass123

password , salt entered in db password : 1ca2a523757d457a4df261c647dc45349ca8c721f76fa2b54e

salt :ae2788757a98b0750d0aaecb9735cc27d92d29413cab1c89fb741cf735fd551322f94993b7cb79cd4ade2dea221142dcac7aa380b776db7fa05bf6c6b5d32056

the hashed password when try login 

d01feaafb5359e1fa2c020a76ebb526fc75786b0b837e0c9a4dcabd58ad734efa469513cf66a272d5ef4b1b9646b4b39f50807afc8f8663e1c6bb23552b04cd6

login page

if (isset($_post['email'], $_post['p'])) {     $email = $_post['email'];     $password = $_post['p']; // hashed password.      if (login($email, $password, $mysqli) == true) {         // login success          header('location: ../protected_page.php');     } else {         // login failed          header('location: ../login.php?error=1');     } }

login function given below

function login($email, $password, $mysqli) {     // using prepared statements means sql injection not possible.      if ($stmt = $mysqli->prepare("select license_num, username, password, salt          doctor_details        email = ?         limit 1")) {         $stmt->bind_param('s', $email);  // bind "$email" parameter.         $stmt->execute();    // execute prepared query.         $stmt->store_result();          // variables result.         $stmt->bind_result($user_id, $username, $db_password, $salt);         $stmt->fetch();          // hash password unique salt.         $password = hash('sha512', $password . $salt);         if ($stmt->num_rows == 1) {             // if user exists check if account locked             // many login attempts               if (checkbrute($user_id, $mysqli) == true) {                 // account locked                  // send email user saying account locked                 return false;             } else {                 // check if password in database matches                 // password user submitted.                 if ($db_password == $password) {                     // password correct!                     // user-agent string of user.                     $user_browser = $_server['http_user_agent'];                     // xss protection might print value                     $user_id = preg_replace("/[^0-9]+/", "", $user_id);                     $_session['user_id'] = $user_id;                     // xss protection might print value                     $username = preg_replace("/[^a-za-z0-9_\-]+/",                                                                  "",                                                                  $username);                     $_session['username'] = $username;                     $_session['login_string'] = hash('sha512',                                $password . $user_browser);                     // login successful.                     return true;                 } else {                     // password not correct                     // record attempt in database                     $now = time();                     $mysqli->query("insert login_attempts(user_id, time)                                     values ('$user_id', '$now')");                     return false;                 }             }         } else {             // no user exists.             return false;         }     } }

the db structure is

license_num ( primary) email password username salt

is because license_num not auto increment?

thanks if out


Comments

Post a Comment

Popular posts from this blog

python - mat is not a numerical tuple : openCV error -

-
i have write down code showing error ma not getting it: please help: showing mat not numerical tuple: import cv import cv2 capture = cv2.videocapture("j.3gp") while(1): _, frame1 = capture.read() grayimage1 = cv2.cvtcolor(frame1, cv2.color_bgr2gray) _, frame2 = capture.read() grayimage2 = cv2.cvtcolor(frame2, cv2.color_bgr2gray) differenceimage = cv2.absdiff(grayimage1,grayimage2) thresholdimage = cv2.threshold(differenceimage,25,255,cv2.thresh_binary) cv2.imshow("difference image", differenceimage) cv2.imshow("threshold image", thresholdimage) cv2.imshow("image", frame1) k = cv2.waitkey(30) & 0xff error arising : ----------------------------------------------------------------------------------------- traceback (most recent call last): file "desk.py", line 15, in <module> cv2.imshow("threshold image", thresholdimage) typeerror: mat not numerical tuple ...
Read more

c# - MSAA finds controls UI Automation doesn't -

-
i'm working on automating windows application. i'm using teststack white framework. i've hit problem. program has 'window' object cannot see inside of. white shows no controls inside of it. inspect.exe shows no controls inside of either when running in ui automation mode. if switch inspect msaa see controls inside fine. there anyway me use msaa c# handle on these controls? if can identify msaa functions need, can use p/invoke call them c#. here's example article doing msaa: http://www.codeproject.com/articles/38906/ui-automation-using-microsoft-active-accessibility also, pinvoke.net can used identify iaccessible (msaa) functions: http://www.pinvoke.net/search.aspx?search=iaccessible&namespace=[all] here's answer along lines: msaa com-based? finally, alternative p/invoke, might able use tlbimp.exe create wrapper assembly oleacc.dll, , access msaa functions through it. i'm not sure if works msaa, it's worth try. as e...
Read more

wordpress - .htaccess: RewriteRule: bad flag delimiters -

-
pulling hair out on one. have following .htaccess file custom redirects in addition wordpress's default settings. when tested on local wamp server worked fine after moving production i'm not getting rewriterule: bad flag delimiters error in server log , after while site goes down internal server error any appreciated. in advance! <ifmodule mod_rewrite.c> rewriteengine on rewritebase / rewriterule ^rockford_weddings___welcome\.html$ /wedding/ [r=301,l] rewriterule ^blog/?$ /journal/ [r=301,l] rewriterule ^blog/(.*)$ /$1 [r=301,l] rewriterule ^portraitinvestment/?$ /portraitinvestment\.pdf [r=301,l] rewriterule ^weddinginvestment/?$ /weddinginvestment\.pdf [r=301,l] rewriterule ^holidaycards2014/?$ /holidaycards2014\.pdf [r=301,l] </ifmodule> # begin wordpress <ifmodule mod_rewrite.c> rewriteengine on rewritebase / rewriterule ^index\.php$ - [l] rewritecond %{request_filename} !-f rewritecond %{request_filename} !-d rewriterule . /index.php [l] </...
Read more