I saw similar questions here but I don't think the answers apply to me, I'm sorry if they do..
Heres a sniplet of the code containing both procedures:
NOTE: The login and register works perfectly fine without the hashing element.
if (isset($_POST['username']) && ($_POST['password'])) {
$username = trim($_POST['username']);
$username = strtolower($username);
$password = trim($_POST['password']);
$salt = hash('md5', "$username");
$password = hash('sha256', "$password"."$salt");
$stmt = $dbh->prepare("SELECT `id` FROM `1_users` WHERE username=? AND password=? LIMIT 1");
$stmt->bindValue(1, $username, PDO::PARAM_STR);
$stmt->bindValue(2, $password, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->rowCount()) {
// Match
$results = $stmt->fetch(PDO::FETCH_ASSOC);
$_SESSION['id'] = $results['id'];
$_SESSION['logged_in'] = true;
$_SESSION['ip'] = hash('sha1', "{$_SERVER['REMOTE_ADDR']}");
header ("location: account.php");
}
else {
$error = 'Invalid username/password!';
}
}
if (isset($_POST['register'])) {
// check for all fields..
if ((empty($_POST['r_username'])) || (empty($_POST['r_password'])) || (empty($_POST['re_password'])) || (empty($_POST['email']))) {
$r_error = 'One of the fields was empty.';
}
$stmt = $dbh->prepare("SELECT `username` FROM `1_members` WHERE `username`=? LIMIT 1");
$username = strtolower($_POST['r_username']);
$username = trim($username);
$stmt->bindValue(1, $username, PDO::PARAM_STR);
$stmt->execute();
$row = $stmt->rowCount();
if ($row) {
$r_error = 'that username is already in use';
}
else if (($_POST['r_password']) !== ($_POST['re_password'])) {
$r_error = 'The passwords did not match.';
}
else if (strlen($_POST['r_username']) <= '3') {
$r_error = 'username too short - needs to be 4 more charicters.';
}
else if (strlen($_POST['r_password']) <='5'){
$r_error = 'password not long enough, please make it 6-255 charicters or more.';
}
else {
// woohoo lets make the account
$password = trim($_POST['r_password']);
$salt = hash('md5', "$username");
$password = hash('sha256', "$password"."$salt");
$email = trim($_POST['email']);
$stmt = $dbh->prepare("INSERT INTO `1_members` (`username`, `password`, `email`) VALUES(?,?,?)");
$stmt->bindValue(1,$username,PDO::PARAM_STR);
$stmt->bindValue(2,$password,PDO::PARAM_STR);
$stmt->bindValue(3,$email,PDO::PARAM_STR);
$stmt->execute();
$_SESSION['id'] = $dbh->lastInsertId();
$_SESSION['logged_in'] = true;
$_SESSION['ip'] = hash('sha1', "{$_SERVER['REMOTE_ADDR']}");
if ($_SESSION['active_cart']) {
header ("location: cart.php");
}
else {
header ("location: account.php");
}
}
}
Before adding the hashing to the passwords, it functioned as normal, im unsure on what my problem is.
Debugging:
username: admin1
password: admin1
Login procedure turns password to: 927364bb72cee168bd52c45a5d131b5923e2926eb6e8f0f46d6d7e5765cc3401
Register procedure creates password as:
927364bb72cee168bd52c45a5d131b5923e2926eb6e8f0f46d6d7e5765cc3401
They match so what has gone wrong?
Also if i've got the wrong idea here or if im overlooking important security steps could you please advise on better methods.
Also, I'm not so worried about email validation and i'm fully aware there is lots of premade snipplets available for validating email and I will be getting to that at a later date.
Any CC is more than welcome.
EDIT: The script returns "invalid username/password combo".