-2

When I type a password just log in, the a name means nothing. You can enter any name and be you log.But I also do not want to, I want that there is a specific name and password to login!

PHP:

<?php

// sha1() encrypted password
// the default is "test"
$password = '5df04db4e2ae413c40cb20359db92a925d6ff1b4';
// set username
$username = 'Marko'; 
// Start session
session_start();

// Initialize wrong password check variable
$isWrongPass = false;
// Initialize wrong name check variable
$isWrongUser = false;

if( !isset( $_SESSION['signedIn'] ) ) {
    $_SESSION['signedIn'] = false;
}

// If the user clicked "sign out", 
if( isset( $_GET['signout'] ) ) {
    $_SESSION['signedIn'] = false;

    // Change the location to where you want to redirect the user after signing out
    header("Location: login.php");
}

// If the user submitted a password
if( isset( $_POST['password'] ) ) {
    if ( sha1( $_POST['password'] ) == $password ) {
        $_SESSION['signedIn'] = true;
    } else {
        $isWrongPass = true;
    }
}

// If the user submitted a name
if ( $_POST['username'] == $username ) {
    $_SESSION['signedIn'] = true;
} else {
    $isWrongUser = true;
}

if( !$_SESSION['signedIn']):

    ?>

This method only works for a password, I tried to do the same for the name or fails.

HTML:

            <?php if( $isWrongPass . $isWrongUser) { ?>
            <div class="error">Pogresno ste uneli ime ili lozinku!</div>
        <?php } ?>

        <form id="signIn" method="post">
            <label for="username">Ime</label>
            <input style="border-radius: 100px" type="text" id="username" name="username" />
            <label for="password">Lozinka</label>
            <input style="border-radius: 100px" type="password" id="password" name="password" />
            <input style="border-radius: 100px" type="submit" name="submit" class="submit" value="Uloguj Se" />
        </form>
M Production
  • 59
  • 1
  • 2
  • 9
  • 3
    is there a special reason why you're using sha1? you know it isn't all that safe anymore. you should be using `password_hash()` and `password_verify()` and a prepared statement. – Funk Forty Niner Apr 13 '17 at 16:56
  • thanks for the advice I changed, but how to check specific username? – M Production Apr 13 '17 at 17:04
  • 1
    Just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead iIterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use a function such as `PBKDF2`, `Rfc2898DeriveBytes`, `password_hash`, `Bcrypt` or similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. – zaph Apr 13 '17 at 17:13

1 Answers1

-1

This is where your issue is.

// If the user submitted a password
if( isset( $_POST['password'] ) ) {
    if ( sha1( $_POST['password'] ) == $password ) {
        $_SESSION['signedIn'] = true;
    } else {
        $isWrongPass = true;
    }
}

// If the user submitted a name
if ( $_POST['username'] == $username ) {
    $_SESSION['signedIn'] = true;
} else {
    $isWrongUser = true;
}

If the password is correct OR the username is correct you are setting signedIn to true. If you want both to be correct, you should try integrating them into the same if statement or setting signedIn to false if isWrongUser or isWrongPass is true.

I do not recommend using the above code even with the issue you asked about fixed. You should also keep in mind that sha1 is outdated (an attack on it was published February 2017). You should be using a standardized, secure hashing function. Look here as pointed out in the comment for a guide on how to handle your passwords.

Even if you are not working on an application that you are going to release, using the standardized functions is not much more difficult.

password_hash and password_verify automatically handle salting the password to prevent rainbow table cracking of password hashes. password_hash takes in a password to hash, and password_verify takes in a plaintext to verify and a hash to verify with.

user886
  • 1,149
  • 16
  • 16
  • Let's not teach/propagate sloppy and dangerous coding practices. [A more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard Apr 13 '17 at 17:22
  • ***You shouldn't use [SHA1 password hashes](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1)*** or ***[MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 13 '17 at 17:24