• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Password Validation in Codeigniter

#1
Sad 
Hi all I have this issue when I validate log in in codeigniter that seems it does not check the required password in my database.The required password in my database is hash using this
Code:
$password_hash = password_hash($password, PASSWORD_BCRYPT);

I'm also using this hash to test of it's ability and security also.
the code in my log in view is:
Code:
<div class="container">
 <div class="card card-login mx-auto mt-5">
   <div class="card-header">Login</div>
   <div class="card-body">
     <form method = "post" action=<?php echo base_url("Ec_controller/login"); ?> >
       <div class="form-group">
         <label for="Username">Username</label>
         <input class="form-control" id="username" name="username" type="text" aria-describedby="emailHelp" placeholder="Enter Username">
       </div>
       <div class="form-group">
         <label for="Password">Password</label>
         <input class="form-control" id="password" name= "password" type="password" placeholder="Enter Password">
       </div>
       <div class="form-group">
         <div class="form-check">
           <label class="form-check-label">
             <!-- <input class="form-check-input" type="checkbox"> Remember Password</label> -->
         </div>
       </div>        
       <input type="submit" name="submit" id="submit" class="btn btn-primary btn-xm" value="Log In" />
     </form>
     <div class="text-center">
       <!-- <a class="d-block small" href="#">Forgot Password?</a> -->
     </div>
   </div>
 </div>
</div>

On my controller:
Code:
public function login(){


   $this->load->library('form_validation');

   $this->form_validation->set_rules('username', 'Username', 'required|trim|callback_validate_credentials');
   $this->form_validation->set_rules('password', 'Password', 'required|trim');

   $username = $this->input->post('username');
   $password = $this->input->post('password');
   $user_id ="";

   if($this->form_validation->run()){

           $data = array(
               'log_username' => $username,
               'is_logged_in' =>1

           );
           $this->session->set_userdata($data);
           $sql2 = $this->db->select("log_username, log_password,log_userlevel ")
                            ->from("ec_login")
                            ->where("log_username", $username)
                            ->get();



           foreach($sql2->result() as $user_level){

               $user_id = $user_level->log_userlevel;

           }
           if($user_id == 1){

               redirect('Ec_controller/view_admin');

           }elseif ($user_id == 2) {

               redirect('Ec_controller/view_it');
           }else{

               redirect("Ec_controller/index");
           }

   }else{

       redirect('Ec_controller/index');
   }


}

public function validate_credentials(){

   $this->load->model('Ec_model');

   if($this->Ec_model->can_log_in()){
       return true;
   }else{
       $this->form_validation->set_message('validate_credentials', '<font color=red>Incorrect username/password</font>');
       return false;
   }
}

and on my Model:
public function can_log_in(){
Code:
$this->db->where('log_username', $this->input->post('username'));
$this->db->where(password_verify('log_password',PASSWORD_BCRYPT), $this->input->post('password'));     
$query = $this->db->get('ec_login');

 if($query->num_rows() == 1)
  {        
    return true;
  }else{
     return false;
  }
}

When I put username it validates the required username and the only problem is the password that whatever i put on the password it validated and redirect to specific page/views, it sounds crazy. A help and a little explanation would great help.

What i'm trying to get here is to check if input password on the form is the same as in the database password. Example: form input password is abcd and on my database password is cdef. But when i put whatever password on the form . Example: form input password were ae,ui,ou the values are pass to controller and model and it redirects to specific page/views.
Reply

#2
(01-08-2018, 10:15 PM)lothux1987 Wrote:
Code:
$this->db->where(password_verify('log_password',PASSWORD_BCRYPT), $this->input->post('password'));

This doesn't make any sense ... It doesn't actually compare to a database field, the parameters passed to password_verify() are incorrect and the overall logic is incorrect. Read up how password_verify() works. You're supposed to fetch from the DB only by username, and then verify against the fetched hash.

Questions about password_hash(), password_verify() are asked almost weekly on StackOverflow, a simple Google search should've given you all the help you need.
Reply

#3
Solved it.
I was so totally dumb for not reading carefully what the use of password_verify() on PHP Manual. Well I finally get it right now. Here's my answer to my question an Updated One.
Code:
public function login(){


$this->load->library('form_validation');

$this->form_validation->set_rules('username', 'Username', 'required|trim');
$this->form_validation->set_rules('password', 'Password', 'required|trim');

$username = $this->input->post('username');
$password = $this->input->post('password');
$user_id ="";

if($this->form_validation->run()!= true){


       redirect('Ec_controller/index');


}else{



       $sql2 = $this->db->select("log_username, log_password,log_userlevel ")
                        ->from("ec_login")
                        ->where("log_username", $username)
                        ->get();



       foreach($sql2->result() as $user_level){

           $user_id = $user_level->log_userlevel;
           $user_password_db = $user_level->log_password;

       }

       $data = array(

           'log_username'  =>$username,
           'log_userlevel' =>$user_id,
           'log_password'  =>$user_password_db,
           'is_logged_in'  =>1

       );
       $this->session->set_userdata($data);


       if(password_verify($password,$user_password_db) && $user_id == 1){

           redirect('Ec_controller/view_admin');


       }elseif (password_verify($password,$user_password_db) && $user_id == 2) {

           redirect('Ec_controller/view_it');
       }else{

           redirect("Ec_controller/index");
       }





}

}
This gives me headache but that was worth it and I'm happy for the outcome. Sorry about that mate..
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2018 MyBB Group.