0

I have a register page that allow user to enter information one of it password so it must be encrypted or hashed so used Bcrypt and it work on the register

but when it come to the login i do not know where and how to use it
can anyone help me?

register.php:

require_once('Bcrypt.php'); 

$bcrypt = new Bcrypt(15);
$hash = $bcrypt->hash('$pass1');

//********Insert all the members's input to the database**************//
$query = mysql_query("INSERT INTO members
                      (user_name, first_name, last_name,
                       governorate, district, village,
                       birth_date, email_address,
                       specialization, password, registered_date)
                      VALUES
                      ('$username', '$firstname', '$lastname',
                       '$governorate', '$district', '$village',
                       '$bdate', '$email', '$specialization',
                       ' $hash',  now())")
                      or die("could not insert data");

login.php

require_once('Bcrypt.php');

$bcrypt = new Bcrypt(15);
$hash = $bcrypt->hash('$pass');
$isGood = $bcrypt->verify('$pass', $hash);

$sql=mysql_query("SELECT user_id, email_address,
                         first_name, user_name
                  FROM members
                  WHERE email_address='$email'AND password= '$hash'
                  LIMIT 1") or die("error in members table");

$login_check = mysql_num_rows($sql);
fthiella
  • 48,073
  • 15
  • 90
  • 106
user2394498
  • 3
  • 1
  • 5
  • Please bear in mind that the `mysql_xx()` functions are deprecated and no longer supported. You should consider switching to use the PDO library instead. – Spudley May 17 '13 at 21:34
  • 1
    I just remembered that I had a problem where the code was fine as well but the passwords where being rejected. When you created the database table what data type did you choose for the password column? And does it have enough space to save the hash properly? MySql will cut the ends off if its too long. – CP510 May 17 '13 at 21:48
  • 1
    That's most likely it. Check how long the average hash is and double it. It's probably gonna need to be varchar(255) just to be safe. When it comes to security its better to use the couple extra bytes. – CP510 May 17 '13 at 21:55
  • Yep, that will definitely be it. varchar 20 isn't even big enough to fit an md5. For a bcrypt hash you'll need 60 characters. I'll add that to my answer. – Spudley May 17 '13 at 21:57
  • @CP510 - you should too. – Spudley May 17 '13 at 22:00
  • for ref: http://stackoverflow.com/questions/5881169/storing-a-hashed-password-bcrypt-in-a-database-type-length-of-column – Spudley May 17 '13 at 22:01
  • `$bcrypt->verify('$pass', $hash);` -- here's a problem. The `$pass` in single quotes isn't going to be parsed; PHP will just see the string `'$pass'` rather than the contents of the `$pass` variable. Suggest you try removing the quotes. – Spudley May 17 '13 at 22:14
  • also it did not workkkkkk i think the problem is in the Bcrypt .php – user2394498 May 17 '13 at 22:32
  • in your insert statement you have a space befor $hash. – Rufinus May 18 '13 at 08:35

2 Answers2

0

It looks fine to me except that I would write the login.php query from WHERE email_address='$email'AND password= '$hash' to WHERE email_address='$email' AND password='$hash'

Make sure the columns data type that holds the password hash is long enough to contain any password the users will enter. If the extra bytes of data aren't a problem, then set the column to varchar(255) to make sure MySQL doesn't chop the end off your hash when you save it.

I would check out some of the built in cryptography libraries. They've been updated since php 5.5 and will probably do the job for you if it's bcrypt thats not working right.

http://www.php.net/manual/en/refs.crypto.php

I have used md5 in the past with no problems, and if you're really worried about having it super secure check out php's built in mcrypt library. You could also "salt" the passwords as well to make sure they go in secured.

CP510
  • 2,297
  • 15
  • 15
  • 4
    bcrypt is a secure password hashing algorithm. md5 is **not** secure. It should not be used for passwords. – Spudley May 17 '13 at 21:33
  • 1
    re your edit: No, md5 is ***not*** secure, even with a salt. I said nothing about mcrypt. But I can tell you that bcrypt is considered best practice for password hashing. In addition it is PHP's recommended hashing method, and the method they use in the new PHP 5.5 `password_xx()` functions. There's no reason to use anything else. – Spudley May 17 '13 at 21:38
  • Fair enough. It was mostly just a suggestion. I've never used BCrypt so I couldn't say if its any good. I generally stick to mcrypt and salting myself, but it seemed like that would be an endeavor to explain at this moment. – CP510 May 17 '13 at 21:42
  • @ Spudley so is my code right and if not how to use it specially in login – user2394498 May 17 '13 at 21:42
  • It looks right. Is there any error text you post to help see what exactly is failing? Or is it just saying its an incorrect password? – CP510 May 17 '13 at 21:44
  • it just saying incorrect password i mean the stricture of the code in login is right ?? – user2394498 May 17 '13 at 21:46
0

You're obviously using a third party library for the Bcrypt hashing. PHP has bcrypt functionality built-in, I guess this library is a wrapper for that. But I can't be certain because I don't recognise the library you're using, so I can't give specific advice about how to use it (other than to follow it's documentation).

Allowing for the fact that I don't recognise the library you're using, there isn't anything obviously visibly wrong in the bcrypt parts of your code. (the sql queries have variables that aren't defined anywhere, but I guess that's because you've only shown us a snippet of the code)

If you're not getting anywhere with this library, I would suggest maybe looking at alternative libraries; there are two that I can think of that would be good to look at:

  • password_compat
    This is written by the same guy who does all the security code in the PHP core. In PHP 5.5 (due for release soon), they're introducing a new set of password_xxx() functions. This library implements those same functions in pure PHP code so they can be run in PHP 5.3 or 5.4. This library is therefore a good one to pick if you want to be compatible with future PHP versions.

  • PHP-Password
    A slightly older library by the same author. Just as good, but with an object-oriented API instead of mimicking the PHP 5.5 functions. If you want a general utility library for making it dead easy to handle passwords with complete security, this is the one I'd recommend.

Both of these libraries use the latest bcrypt algorithms behind the scenes.

[EDIT] Password field length. As mentioned in the comments, you'll need to have at least 60 character long fields to store a bcrypt hash. Your current 20 character limit isn't going to work for any kind of hash algorithm.

Spudley
  • 166,037
  • 39
  • 233
  • 307