So Ive been looking arround internet to bcrypt my passwords, I got this code together from youtube, Im not sure if thats what I need since this is my first time doing such a thing. And also I get an error saying that user, pass and mail are undefined aldo thy work fine in functions I use and in if statements above. This code is work in progress, I have yet to put salting and crypt functions in an if statement. Heres code:
<?php require_once("session.php");?>
<?php require_once("connect.php");?>
<?php
if(isset($_POST["createUser"]) && isset($_POST["user"], $_POST["pass"], $_POST["mail"])){
createUser ($_POST["user"], $_POST["pass"], $_POST["mail"]);
}
else if(isset($_POST["userGames"])){
userGamesUpdate ($_POST("selectedGameId"));
}
else if(isset($_POST["userLogin"])){
login ($_POST["user"], $_POST["pass"]);
}
else if (!isset ($_POST)){
echo "error";
}
?>
<?php
$lenght = 21;
function random_string($lenght){
$charset = array_merge˙(range("a", "z"), range("A", "Z"), range("0", "9"));
shuffle($charset);
global $randozoz;
$randozoz = array_slice($charset, 0, $lenght);
return implode("", $randozoz);
}
$username = $_POST["user"];
$password = $_POST["pass"];
$email = $_POST["mail"];
function prevent($wha) {
$wha = stripslashes($wha);
$wha = mysql_real_escape_string($wha);
return $wha;
}
prevent($username);
prevent($password);
prevent($email);
$str = substr($username, 0, 6);
$salt = "$2a$12$".$randozoz."".$str."$";
//register
function createUser ($username, $password, $email ){
//Get from form
$hashedPassword = crypt($password);
//Submit to database
//make query
$query = ("INSERT INTO users ( username , email , hashPass ) VALUES ( '$username' , '$email' , '$hashedPassword')");
//use query
if (mysql_query($query)) {
//userMade.php
$query = ("SELECT id FROM users WHERE username = '{$username}'");
$userId = mysql_fetch_array($query);
$_SESSION["userId"] = $userId;
$_SESSION["username"] = $username;
header("Location: ../userMade.php");
exit;
} else {
echo "<p>".mysql_error()."</p>";
}
}
function login ($username, $password){
$hashedPassword = sha1($password);
//Submit to database
//make query
$query = ("SELECT id, username FROM users WHERE username = '{$username}' AND hashPass = '{$hashedPassword}'");
$result_set = mysql_query($query);
if (mysql_num_rows($result_set) == 1) {
//frontpage, session
//$userFound = mysql_fetch_array($result_set);
$foundUser = mysql_fetch_array($result_set);
$_SESSION["userId"] = $foundUser["id"];
$_SESSION["username"] = $foundUser["username"];
header("Location: ../frontpage.php");
exit;
} else {
$message = "Your username and/or password is wrong! Please try again.";
}
}
?>
Login system is not integrated with crypt and salting system. But am I doing salting right?
Heres some random passwords that come out of this system:
$1$gc5.pn/.$txhBJZBDG3xgraJYIYY0I1
$1$8e0.vX3.$RfFLRT/iE.MXfws2fnz30.
And error shows in part where Im trying to protect against SQL injection, also will that system work? I dont really understand it to be honest.
Your code is full of bad things, it is hard to find a spot to start. It doesn't even work correctly.
But to answer your question on bcrypt: No, you are doing it wrong. To make it most easy for everybody using password hashing there will be a PHP Hashing API starting with PHP 5.5.
Because PHP 5.5 still is in development, there is a compatibility library that backports these functions to recent PHP versions 5.4 and down till 5.3.7. Earlier PHP have a security issue in their bcrypt implementation.
Download this library: https://github.com/ircmaxell/password_compat