Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Callback "Password Check" Problem...
Callback "Password Check" Problem...
  • El Forum
    Guest
  •  
#1
02-15-2011, 08:28 AM

[eluser]Ortonruk[/eluser]
Hello

I am developing an application in CI v1.73 (as I was already a significant way into it when v2.0 was released) but I am hoping you may be able to help me.

I have a callback function that checks my database to ensure the email/password entered into a login form match and are correct. The problem I am having is, is that when an email address is entered that is in the database, it allows you to gain access to the members area no matter what password you enter (as long as it meets the validation requirements). If you try and login with an email address that is not in the database, it throws up the correct error. I believe therefore the problem lies with it retrieving the password field from the database and matching it up with what was posted by the form?

Here is the code from my controller:

Code:
function login()
{
    $this->form_validation->set_rules('login_email', 'email', 'xss_clean|required|valid_email');
    $this->form_validation->set_rules('login_password', 'password', 'xss_clean|required|min_length[6]|max_length[12]|sha1|callback_password_check');
            
    $this->_email = $this->input->post('login_email');
    $this->_password = sha1($this->_salt . $this->input->post('login_password'));
            
    if($this->form_validation->run() == FALSE)
    {
        $this->load->view('account_view');
    }
    else
    {
        $this->front_model->login();
        $this->load->view('members_view');
    }
}
        
function password_check()
{
    $this->db->where('email', $this->_email);
    $query = $this->db->get('users');
    $result = $query->row_array();
            
    if($query->num_rows() == 0)
    {
        $this->form_validation->set_message('password_check', 'Invalid email/password.');
        return FALSE;
    }
            
    if($result['password'] == $this->_password);
    {
        return TRUE;
    }
}


Thanks! Smile
  • El Forum
    Guest
  •  
#2
02-15-2011, 09:18 AM

[eluser]Josh Holloway[/eluser]
Code:
$this->_salt;

Have you defined this?

Also, try echo'ing the $this->_password and seeing if it matches the db field.

should help as a start.
  • El Forum
    Guest
  •  
#3
02-15-2011, 09:22 AM

[eluser]Ortonruk[/eluser]
Hi Josh

Thanks for the quick response. Yes _salt has been defined at the top of the controller - should of clarified that sorry.

I will try echoing out the variable now, thanks for the tip Smile


Edit: Ok, bare with me as I am pretty new to CI. I changed the query (see below) to echo out _password when the form is posted. So now the problem appears to be that the hash is not the same as the one stored in my database, even though the passwords in plain text are identical.
I just checked over my register() function to make sure that it was posting the password from the signup form correctly and that appears to be fine too.

Code:
function password_check()
{
    $this->db->where('email', $this->_email);
    $query = $this->db->get('users');
    $result = $query->row_array();
            
    if($query->num_rows() > 0)
    {
        $this->form_validation->set_message('password_check', 'Invalid email/password.');
        echo $this->_password;
        return FALSE;
    }
            
    if($result['password'] == $this->_password);
    {
        return TRUE;
    }
}
  • El Forum
    Guest
  •  
#4
02-15-2011, 10:14 AM

[eluser]Josh Holloway[/eluser]
so, lets take a look.

Is your password field in the database truncating the input?

Make sure the password field is 255 varchar.
  • El Forum
    Guest
  •  
#5
02-15-2011, 10:19 AM

[eluser]Ortonruk[/eluser]
The field is definitely a varchar(255) and it's not truncating the passwords at all (both are 40 characters in length).

The two hashes are completely different as if they have been generated using different salts, but they haven't :/
  • El Forum
    Guest
  •  
#6
02-15-2011, 10:31 AM

[eluser]Josh Holloway[/eluser]
Can you post your register function and the defined salt?
  • El Forum
    Guest
  •  
#7
02-15-2011, 10:39 AM

[eluser]Ortonruk[/eluser]
No problem, I have attached it below. On a side note I think I have fixed the problem of it accepting any password when it finds an email address in the db. So now the only problem is with these salted hashes not matching up.

Code:
function Front()
{
    parent::Controller();
    $this->load->library(array('form_validation', 'session'));
    $this->load->helper(array('url', 'form'));
    $this->load->model('front_model');
            
    $this->_salt = "191714558397772541";
}

function signup()
{
    $this->form_validation->set_rules('email', 'Email Address', 'xss_clean|required|valid_email|matches[email_conf]|callback_email_exists');
    $this->form_validation->set_rules('email_conf', 'Confirm Email Address', 'xss_clean|required|valid_email|matches[email]');
    $this->form_validation->set_rules('password', 'Password', 'xss_clean|required|min_length[6]|max_length[12]|matches[password_conf]|alpha_numeric|sha1');
    $this->form_validation->set_rules('password_conf', 'Confirm Password', 'xss_clean|required|matches[password]|alpha_numeric|sha1');
    $this->form_validation->set_rules('firstname', 'First Name', 'xss_clean|required|alpha');
    $this->form_validation->set_rules('lastname', 'Last Name', 'xss_clean|required|alpha');
    $this->form_validation->set_rules('age', 'Age', 'xss_clean|required|numeric|max_length[3]');
    $this->form_validation->set_rules('gender', 'Gender', 'xss_clean|required|alpha');
    $this->form_validation->set_rules('country', 'Country', 'xss_clean|required');
            
    if($this->form_validation->run() == FALSE)
    {
        $this->load->view('account_view');
    }
    else
    {
        $data['email'] = $this->input->post('email');
        $data['password'] = sha1($this->_salt . $this->input->post('password'));
        $data['firstname'] = $this->input->post('firstname');
        $data['lastname'] = $this->input->post('lastname');
        $data['age'] = $this->input->post('age');
        $data['gender'] = $this->input->post('gender');
        $data['country'] = $this->input->post('country');
                
        if($this->front_model->create($data) === TRUE)
        {
            $data['message'] = "Your account has been successfully created! You can now continue by logging in.";
            $this->load->view('signup_success', $data);
        }
        else
        {
            $data['error'] = "There was a problem creating your account. Please try again.";
            $this->load->view('signup_error', $data);
        }
    }
}
  • El Forum
    Guest
  •  
#8
02-15-2011, 11:06 AM

[eluser]Josh Holloway[/eluser]
Looks to me that your controller is functioning OK. Can you re-create the user in the database and see if it works.
  • El Forum
    Guest
  •  
#9
02-15-2011, 11:17 AM

[eluser]Ortonruk[/eluser]
Just removed the users that were in the db (only 3).. created 2 new accounts and it is still not functioning.

Could it be something to do with the character encoding? my database is UTF-8 and the collation is utf8_general_ci. Those are the defaults that were in the database config file also.
  • El Forum
    Guest
  •  
#10
02-15-2011, 11:34 AM

[eluser]Josh Holloway[/eluser]
Can you post the hash that's stored in the database and the hash being echo'd Smile




Theme © iAndrew 2016 - Forum software by © MyBB