Using PHPass to hash password trouble

Question

I am using PHPASS to store password encrypted and compare when login.

here is the code

ob_start();
$userName = $password = "";
$userNameErr = $passwordErr = $loginErr = "";
$hasher = new PasswordHash(8, false);

if (isset($_POST['subEmployee'])) {
    if (empty($_POST['user_name'])) {
        $userNameErr = "User name is required";

    } else {
        $userName = check_input($_POST['user_name']);
        if (!preg_match("/^[0-9_a-zA-Z]*$/", $userName)) {
            $userNameErr = "Only letters, numbers and '_' allowed";
        }
    }
    if (empty($_POST['password'])) {
        $passwordErr = "Password is required";
    }else{
        $password = check_input($_POST['password']);
    }

    $active = 1;
    $loginUser = $db->prepare("SELECT password FROM users WHERE user_name=? AND activity=?");
    $loginUser->bind_param('si', $userName, $active);
    if ($loginUser->execute()) {
        $results = $loginUser->get_result();
        if ($results->num_rows == 1) {
            $row = $results->fetch_object();
            $stored_hash = "*";
            $stored_hash = $row->password;
            $check = $hasher->CheckPassword($password, $stored_hash);
            if ($check) {
                $_SESSION['name'] = $row->first_name;
                $_SESSION['userId'] = $row->id;
                $_SESSION['user'] = 1;
                print_r($_SESSION);
                header("Location:?pid=4");
            } elseif (!empty($_POST['user_name']) && !empty($_POST['password'])) {
                $loginErr = "'Invalid Login Information'";
            }
        }
    }
}

so far it always give the same message 'Invalid Login Information' I have made the registration form that store my password like this.

$hasher = new PasswordHash(8, false);
$hash = md5(rand(0, 1000));

if (empty($_POST['password'])) {
        $error ['passwordErr'] = "Password is required";
    } elseif (strlen($_POST['password']) < 8) {
        $error ['passwordErr'] = "<span class='notAllowed'>Chose password with at last eight characters</span>";
    } elseif (strlen($_POST['password']) > 72) {
        $error ['passwordErr'] = "<span class='notAllowed'>Password max 72 characters</span>";
    } elseif ($_POST['password'] !== $_POST['confirm']) {
        $error ['passwordErr'] = "Password don't matching";
    } else {
        $password = $hasher->HashPassword($password);
    }

when I checked my database the password seems hashed to me and the user name is there and everything is alright

but still getting this message as 'Invalid Login Information'.

does this two lines is right

$loginUser = $db->prepare("SELECT password FROM users WHERE user_name=? AND activity=?");
    $loginUser->bind_param('si', $userName, $active);

does the login code OK.

I try this too

Update I updated my code

if (isset($_POST['subEmployee'])) {
    $error=array();

    $hash_cost_log2 = 8;
    $hash_portable = FALSE;
    $hasher = new PasswordHash($hash_cost_log2, $hash_portable);

    if (empty($_POST['user_name'])) {
        $userNameErr = "User name is required";

    } else {
        $userName = check_input($_POST['user_name']);
        if (!preg_match("/^[0-9_a-zA-Z]*$/", $userName)) {
            $userNameErr = "Only letters, numbers and '_' allowed";
        }
    }
    if (empty($_POST['password'])) {
        $passwordErr = "Password is required";
    } else {
        $password = $_POST['password'];
    }
    $active = 1;

    $loginUser = $db->prepare("SELECT password FROM hired_person_info WHERE user_name=? AND activity=?");
    $loginUser->bind_param('si', $userName, $active);
    if ($loginUser->execute()) {
        $results = $loginUser->get_result();
        if ($results->num_rows == 1) {
            $row = $results->fetch_object();
            $stored_hash = "*";
            $stored_hash = $row->password;
            $check = $hasher->CheckPassword($password, $stored_hash);
            if ($check) {
                $_SESSION['name'] = $row->first_name;
                $_SESSION['userId'] = $row->id;
                $_SESSION['user'] = 1;
                print_r($_SESSION);
                header("Location:?pid=4");
            } elseif (!empty($_POST['user_name']) && !empty($_POST['password'])) {
                $loginErr = "'Invalid Login Information'";
            }
        } else {
            $loginErr = "'We didn't find any users'";
        }
    }
}

add this from the manual of PHPass

$hash_cost_log2 = 8;
        $hash_portable = FALSE;
        $hasher = new PasswordHash($hash_cost_log2, $hash_portable);

still no luck can somebody tell me where am mistaking here

Edit this is my check_input() code

function check_input($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

and I am using PHP 5.3.29

Thanks

Dont use PHass, please use the native PHP 5.5 password hashing functions (that are also available for PHP 5.3 / 5.4 with a lib) — Sliq, Sep 27 '14 at 14:20
Can you please guide me to the sources for PHP 5.3 through my code and how to implement it into my login code — Yousef Altaf, Sep 27 '14 at 17:18
and why not using PHPass is it not good, has bugs, very difficult or what? — Yousef Altaf, Sep 27 '14 at 17:20
@YousefAltaf - Which PHP version are you using exactly 5.3.0 or 5.3.7? The first thing i would check is the function `check_input()`, does it possibly alter the input (escaping, trimming, ...)? You do not use it in the registration form so this could be a difference. Then did you check the content of `var_dump($stored_hash)`, was it correct? PHPass is actually a good library, though since PHP has a dedicated function `password_hash()` it is somewhat obsolete (can be used since PHP 5.3.7). More information you can also find on my [homepage](http://www.martinstoeckli.ch/php/php.html#bcrypt). — martinstoeckli, Sep 28 '14 at 19:20
@martinstoeckli first I'd like to thank you for helping me. and I am very glad that someone are interested to answer my question, well about your question about the check_input() No I am sure that I used it in both files registration and login area I updated my question for PHP version it's 5.3.29 see the Edit on my question — Yousef Altaf, Sep 28 '14 at 19:56

score 0 · Answer 1 · answered Sep 29 '14 at 07:16

These are some points i would check:

1) In your registration handler you check directly the POST variable, but for hashing you take a variable $password, i would access the input always in the same way, for example:

$password = $hasher->HashPassword($_POST['password']);

2) The function check_input() is not recommended for passwords, since you calculate a hash-value and this hash-value is "safe" anyway. Even for other user input, one should validate it as you did, but escaping should be done as late as possible, and only for the particular output. So the function htmlspecialchars() should not be called for user input, but always before outputting to HTML.

3) In your login handler you access the password once with the POST variable and once with the variable $password. The variable $password is set only in an if statement, so if the input is empty you fill the error but you continue with an uninitialized $password variable. Either fill the variable just at the beginning, or always use the POST variable.

4) Since you are using PHP 5.3.29 you can use the new function password_hash() with the compatibility pack. I do not think that the PHPass library is the problem here, nevertheless here is an example for the new function.

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

5) Another often made mistake is, that the database field for storing the hash-value is too short, it needs a length of varchar(60). Maybe you could provide one of your password-hashes (of course only an example)?

score 0 · Answer 2 · answered Jul 19 '15 at 17:47

0

This library requires PHP >= 5.3.7 OR a version that has the $2y fix backported into it (such as RedHat provides).

answered Jul 19 '15 at 17:47

user2579395

77
1
3
10

Using PHPass to hash password trouble

2 Answers2

Linked