hi so I'm working on a basic website trying to learn about security etc and come across various issues, so i created a register function that hashes, salts and bcypts password this is functional and working however the problem lies within the login code somehow nothing is being processed i dont even receive error messages so i can't even see where it has gone wrong
this is my login
<?php
include_once("checkuser.php");
if(isset($_POST['email']) && trim($_POST['email']) != ""){
$email = strip_tags($_POST['email']);
$password = $_POST['password'];
$hmac = hash_hmac('sha512', $password, file_get_contents('textfiles/key.txt'));
$stmt1 = $db->prepare("SELECT usersid, username, password FROM login WHERE email=:email AND activated='1' LIMIT 1");
$stmt1->bindValue(':email',$email,PDO::PARAM_STR);
try{
$stmt1->execute();
$count = $stmt1->rowCount();
if($count > 0){
while($row = $stmt1->fetch(PDO::FETCH_ASSOC)){
$uid = $row['usersid'];
$username = $row['username'];
$hash = $row['password'];
}
if (crypt($hmac, $hash) === $hash) {
$db->query("UPDATE login SET lastlog=now() WHERE usersid='$uid' LIMIT 1");
$_SESSION['uid'] = $uid;
$_SESSION['username'] = $username;
$_SESSION['password'] = $hash;
setcookie("usersid", $uid, strtotime( '+30 days' ), "/", "", "", TRUE);
setcookie("username", $username, strtotime( '+30 days' ), "/", "", "", TRUE);
setcookie("password", $hash, strtotime( '+30 days' ), "/", "", "", TRUE);
echo 'Valid password<br />'.$_SESSION['uid'].'<br />'.$_SESSION['username'].'<br />'.$_SESSION['password'].'
<br />'.$_COOKIE['usersid'];
header("location: index.php");
exit();
} else {
echo 'Invalid password Press back and try again<br />';
exit();
}
}
else{
echo "A user with that email address does not exist here";
$db = null;
exit();
}
}
catch(PDOException $e){
echo $e->getMessage();
$db = null;
exit();
}
}
?>
this is my user check with sessions etc
<?php
session_start();
include_once("conninfo2.php");
$user_is_logged = false;
$log_user_id = "";
$log_uname = "";
$log_pass = "";
if(isset($_SESSION['uid']) && isset($_SESSION['username']) && isset($_SESSION['password'])){
$log_user_id = preg_replace('#[^0-9]#', '', $_SESSION['uid']);
$log_uname = preg_replace('#[^a-z0-9]#i', '', $_SESSION['username']);
$log_pass = preg_replace('#[^a-z0-9]#i', '', $_SESSION['password']);
$stmt = $db->prepare("SELECT id FROM members WHERE id=:log_user_id");
$stmt->bindValue(':log_user_id',$log_user_id,PDO::PARAM_INT);
try{
$stmt->execute();
if($stmt->rowCount() > 0){
$user_is_logged = true;
}
}
catch(PDOException $e){
return false;
}
}else if(isset($_COOKIE['usersid']) && isset($_COOKIE['username']) && isset($_COOKIE['password'])){
$_SESSION['uid'] = preg_replace('#[^0-9]#', '', $_COOKIE['usersid']);
$_SESSION['username'] = preg_replace('#[^a-z0-9]#i', '', $_COOKIE['username']);
$_SESSION['password'] = preg_replace('#[^a-z0-9]#i', '', $_COOKIE['password']);
$log_user_id = $_SESSION['uid'];
$log_uname = $_SESSION['username'];
$log_pass = $_SESSION['password'];
$stmt = $db->prepare("SELECT usersid FROM login WHERE usersid=:log_user_id LIMIT 1");
$stmt->bindValue(':log_user_id',$log_user_id,PDO::PARAM_INT);
try{
$stmt->execute();
if($stmt->rowCount > 0){
$user_is_logged = true;
}
}
catch(PDOException $e){
return false;
}
if($user_is_logged == true){
$db->query("UPDATE login SET lastlog=now() WHERE usersid='$log_user_id' LIMIT 1");
}
}
?>
