I am using PHPASS to store password encrypted and compare when login.

here is the code

ob_start();
$userName = $password = "";
$userNameErr = $passwordErr = $loginErr = "";
$hasher = new PasswordHash(8, false);

if (isset($_POST['subEmployee'])) {
    if (empty($_POST['user_name'])) {
        $userNameErr = "User name is required";

    } else {
        $userName = check_input($_POST['user_name']);
        if (!preg_match("/^[0-9_a-zA-Z]*$/", $userName)) {
            $userNameErr = "Only letters, numbers and '_' allowed";
        }
    }
    if (empty($_POST['password'])) {
        $passwordErr = "Password is required";
    }else{
        $password = check_input($_POST['password']);
    }

    $active = 1;
    $loginUser = $db->prepare("SELECT password FROM users WHERE user_name=? AND activity=?");
    $loginUser->bind_param('si', $userName, $active);
    if ($loginUser->execute()) {
        $results = $loginUser->get_result();
        if ($results->num_rows == 1) {
            $row = $results->fetch_object();
            $stored_hash = "*";
            $stored_hash = $row->password;
            $check = $hasher->CheckPassword($password, $stored_hash);
            if ($check) {
                $_SESSION['name'] = $row->first_name;
                $_SESSION['userId'] = $row->id;
                $_SESSION['user'] = 1;
                print_r($_SESSION);
                header("Location:?pid=4");
            } elseif (!empty($_POST['user_name']) && !empty($_POST['password'])) {
                $loginErr = "'Invalid Login Information'";
            }
        }
    }
}

so far it always give the same message 'Invalid Login Information' I have made the registration form that store my password like this.

$hasher = new PasswordHash(8, false);
$hash = md5(rand(0, 1000));

if (empty($_POST['password'])) {
        $error ['passwordErr'] = "Password is required";
    } elseif (strlen($_POST['password']) < 8) {
        $error ['passwordErr'] = "<span class='notAllowed'>Chose password with at last eight characters</span>";
    } elseif (strlen($_POST['password']) > 72) {
        $error ['passwordErr'] = "<span class='notAllowed'>Password max 72 characters</span>";
    } elseif ($_POST['password'] !== $_POST['confirm']) {
        $error ['passwordErr'] = "Password don't matching";
    } else {
        $password = $hasher->HashPassword($password);
    }

when I checked my database the password seems hashed to me and the user name is there and everything is alright

but still getting this message as 'Invalid Login Information'.

does this two lines is right

$loginUser = $db->prepare("SELECT password FROM users WHERE user_name=? AND activity=?");
    $loginUser->bind_param('si', $userName, $active);

does the login code OK.

Thanks

Member Avatar for diafol

Not familiar with PHPass, Any reason you're using md5? It's generally accepted that it's past it's sell by date. Not recommended.

If you have php 5.5.0+, then you may wish to consider password_hash() and password_verify() using something like BCRYPT with a "cost" of 11 or 12.

Thanks for reply but what to do if I am using PHP 5.3.29 any other idea
thanks again

Member Avatar for diafol

Are you not able to shift your version up a few notches?

14 Aug 2014
The PHP development team announces the immediate availability of PHP 5.3.29. This release marks the end of life of the PHP 5.3 series. Future releases of this series are not planned. All PHP 5.3 users are encouraged to upgrade to the current stable version of PHP 5.5 or previous stable version of PHP 5.4, which are supported till at least 2016 and 2015 respectively.

Anyway, you can use https://github.com/ircmaxell/password_compat (thanks to veedeoo for the link).

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.