1

i bet there are scripts out there already about this, but I'm creating this project just for fun and to test my knowledge, now i just want the public's opinions, and if you guys find a way I could improve feel free to share as well to comment against it.

My question is simply how to create a good salt. after reading the manual, and a few book chapters this is what i came up with. Although i feel like my salt should be longer for security. what should I change?

Here is my user class. please check genSalt() function and guide me to figure out how to improve my results. 

    <?php
if(!defined('ACCESS_CORE')){
    echo 'Permission Not Granted';
    exit;
}

class user{
    private $_email;
    private $_pass;
    private $_db;   
    private $_url;


    function __construct(){
        $this->_db = $this->db();
        $this->_url = 'localhost'; //change this to ur url 
        if(isset($_POST['user_login'])){
            $this->_email = $this->clean($_POST['user_email']); //sanitize later
            $this->_pass = $this->clean($_POST['user_password']);
        }
    }

    protected function db(){
        $db = parse_ini_file('../contra.conf');
        $this->_db = new mysqli($db['host'], $db['user'], $db['pass'], $db['name']);
        if ($this->_db->connect_errno) {
         trigger_error("Failed to connect to MySQL".$mysqli->connect_errno). $mysqli->connect_error;
        }   
    }

    protected function clean($string){
        return mysql_real_escape_string($string); #TODO: add more options html etc
    }

    public function safeReferer(){ 
        $ref = (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''); //if there is a ref..
        if(empty($ref) || strpos($ref, $this->_url)){
            return true;
        } else {
            return false;
        }
    }

    public function includeForm($message = ""){ #TODO: finish form view page
         ?>
        <div id="logForm">
            <h3>User Authentication Form</h3>
        <?php  echo ($message === "") ? '' : $message; ?>
                <form id="loginForm" method="post" action="login.php">
                    <input type="text" name="user_email" />
                    <input type="password" name="user_password" />
                    <input type="submit" value="Login" name="user_login" />
                    <a href="/" >Forgot password?</a>
                </form>
            </div>

        <?php ;
    }

    protected function genSalt($length) {  #TODO: improve something is fishy
        $prefix = '$2a$'.$length.'$'; //blowfish prefix
        //base64 unique random alphanumeric
        $uniqRand = base64_encode(mcrypt_create_iv($length, MCRYPT_DEV_URANDOM)); 
        $modified_string = str_replace('+', '.', $uniqRand);  
        $salt = substr($modified_string, 0, $length);
        return $prefix.$salt.'$';
    }


     protected function correctPass($password, $salt){ #TODO: change to prepared statement. best method?
        $sql = "SELECT pass, s FROM users WHERE email = '$this->_email'";
            if($result = $this->_db->query($sql)){
                while ($row = $result->fetch_object()) {
                    if(cript($row['pass'], $row['s']) === $row['s']){
                        return true;
                    } else {
                        return false;
                    }
                }    
            }
    }


    public function login(){
        if($this->correctPass($this->_email, $this->_pass)){
            echo 'create session, session cookie, start timeout, and redirect'; #TODO: copy login, finish page on form view
        } else {
            $message = '<h5>Please try again</h5>';
            $message .= '<p>It looks like you have either entered a wrong user name or password.';
            $this->includeForm($message);
        }
    }

// test function, similar function in register class
   public function createPass($pass){
       $salt = $this->genSalt(10);
       $hash = crypt($pass, $salt);
       echo $salt. '--';
       echo 'hashed pass : '. $hash;
       echo '<br> entered pass : '.$pass.'<br>';
       if(crypt($pass, $hash) == $hash ){
                        echo  'true';
                    } else {
                        echo 'false';
                    }
   }
}

?>

test function results... $2a$10$WlUvRqsgZl$--
hashed pass : $2a$10$WlUvRqsgZl$$$$$$$$$$$. tRNdwECDQXhN07g4mIp82xxFCTUev3m entered pass : mypassword true

user3768494
  • 7
  • 2
  • 2
    If you don't have a specific question/problem, this is not the right platform. However, [codereview](http://codereview.stackexchange.com) might be – kero Jun 23 '14 at 18:06
  • You're mixing MySQL APIs for one thing, and they do **not** mix. `return mysql_real_escape_string($string);` – Funk Forty Niner Jun 23 '14 at 18:11
  • Well, my question is simply how to create a better salt using my script, i know im close. thats all. i just posted the whole file if any of you feel like teaching me a few things, guide me. Ive seen that happen in this platform. – user3768494 Jun 23 '14 at 18:14

1 Answers1

0

Why not consider the password_hash function? It also hashes but generates a random salt every time and uses blowfish by default. It requires PHP 5.5 or later, however.

Machavity
  • 30,841
  • 27
  • 92
  • 100