Need help with login form

[Anonymous]

I understand, that’s fine. I don’t completely understand why username’s need to be at least 6 characters (@traq, for example, would need to come up with something different) but those decisions are entirely down to you.

The reason your code isn’t working is because you think that

':username'

Is a variable and it isn’t. It’s a string.

strlen(':username')

Will always be 9. Therefore

if(strlen(':username') < 6)

Will always be false.

$username

Is a variable. It starts with a dollar sign and isn’t surrounded by quotation marks.

[cscodismith]

I believe that I have just finished what I have wanted successfully! It is echo’ing the message if a user tries to register a username that is less than 6 characters and it writes to database if the username is as long as needed. If you’re interested in seeing the code I used, you can do so here.

[Anonymous]

Glad you got it sorted. Two questions: what is cpassword, and why md5?

[cscodismith]

cpassword is my confirm password field where it checks if the passwords match when users register to assure that they are entering the correct password incase the user makes a keystroke that they didn’t mean to and they can’t login due to that.

Also I just changed it from md5 to password_hash function, hopefully that will make it a bit better and reliable then md5 (:

[cscodismith]

Hmmm now that I have password hashed it doesn’t want to login the user!? The password(s) are hashed in the database with the password_hash function and when I try to login with the password I entered it provides the error when there is an invalid username/password.

View sourcecode here.

[cscodismith]

Hmmm is it alright and still safe if I just use md5 to hash my passwords!? I have it working just fine by using

md5($_POST['password]'); 

In each of the register and login page(s) they read the hashed password just fine rather than doing more work then possibly needed with the password_hash function.

[nkrisc]

md5 is not secure enough for passwords. Don’t use it.

There are also loads of rainbow tables of md5 hashes so odds you could just google and md5 hash and you’d probably find the password in google results.

Not to mention I’m pretty sure your example doesn’t even salt the passwords making it very insecure.

[Anonymous]

rather than doing more work then possibly needed with the password_hash function.

Urgh. This must be at least the third time I’ve said this on this forum. This perspective is just not acceptable. It’s unprofessional and could compromise your users. Take the time to do it right, use one of the many free options available, or pay someone to do it for you.

md5 without a salt is about as useful as storing plain text passwords. With a salt it’s not much better. Password hash and password verify do all the work for you and are trivial to implement.

If you’re struggling to work out how to use them, then please consider that you may not be the right person to be writing a login module for a production site. I realise this sounds aggressive, and I apologise for that, but you do need to work within your competence and avoid putting users at risk.

[nkrisc]

You wouldn’t want a surgeon to take shortcuts because he’s lazy, you should not do the same with peoples’ online privacy. If you’re asking them to register you have a responsibility to do it the right way and not take shortcuts. Knowingly using MD5 is pretty intentionally negligent. I hope your service isn’t taking money from people.

[cscodismith]

There is no sort of money involved nor is it a service. It is more of a website to show users information on the website. I get now that MD5 is most definitely not the route to go – did not know how insecure it was until all facts were told here.

I am currently in the process of using the password_hash function rather than MD5 seeming it is more secure. Thank you all again for letting me know the difference between the two.

[cscodismith]

Possibly you can help me further with this project using the password_hash function. I took a look at the hastebin link that you provided but don’t think I understand it fully – I have made a github project based on this login/registration project for the website here so you can take a look at my updated code there and let me know what it is that isn’t letting the user login.

At this moment with the code updated on the Github project it seems to be reading the variables fine in register.php and login.php but when the user chooses to login with his credentials it echos the ‘error’ text as it shows on the login.php page. If you need to be added with your account I can do that so you can help me with the code on the project!!

Best regards,
Codi

[cscodismith]

Possibly you can help me further with this project using the password_hash function. I took a look at the hastebin link that you provided but don’t think I understand it fully – I have made a github project based on this login/registration project for the website here so you can take a look at my updated code there and let me know what it is that isn’t letting the user login.

At this moment with the code updated on the Github project it seems to be reading the variables fine in register.php and login.php but when the user chooses to login with his credentials it echos the ‘error’ text as it shows on the login.php page. If you need to be added with your account I can do that so you can help me with the code on the project!!

Best regards,
Codi

[Anonymous]

There is no sort of money involved nor is it a service.

This actually isn’t relevant. You still have a duty to protect your users.

Your login isn’t working because you are hashing the submitted password and seeing if it exists in the database. It won’t. Password hash uses a new salt each time.

Only use password hash during registration to save a hash to the database. From then on retrieve the hash and use password verify to compare the submitted password to the stored hash.

Seriously though, there’s no shame in just using an existing script for this stuff. Session management is a solved problem (most apps really don’t need to be written from scratch) and I don’t really understand why you’re doing this yourself.

[cscodismith]

UPDATE:

I have created a password_verify function that works for the most part (All code is updated on the github page. The only problem that is ocucuring now is when the user is redirected to

header("Location: index.php")

It is supposed to show
Welcome, Username here
Logout

but it only shows the registration/login hyper links that are placed in the

} else {

statement.

All source code of the project is updated and can be viewed here.

[cscodismith]

UPDATE:

I have fixed the following error above with adding the following code into the password_verify function.

if (password_verify($password, $hash)){
    $_SESSION['username'] = $_POST['username'];
    header("Location: index.php");
} else {
    echo 'password is invalid';
}

The code above correctly displays the username on the homepage when redirected.

[Author]

Posts