My SQL table contains two types of data used to log in. First is email(In table named standard_name) and second is password. Because emails are AES encrypted using both key and IV(AES-256-CBC) there is not a chance that email encrypted in PHP file would be the same as the email encrypted in the past located in the database(Because IV generated for encrypting is never the same. That is why I hash password with md5. Since md5 hash is always the same I can query my database table by using password entered by user. But what if certain users have the same password. That is why logging only with password query would cause problems for the users. When I realised that I created a code which on first queries db using md5 hashed password then checks if email entered by user matches decrypted email from database and if not, it queries database another time but it is supposed to get only these records which do not have email already compared with entered one by user. And there is the problem. I do not know what $query5 should be. Can anybody tell me? Or maybe there is much easier way to deal with logging in while email is encrypted with AES. Here is my code:
$lname = mysqli_real_escape_string($connect, $_POST['email']);
$password2 = mysqli_real_escape_string($connect, $_POST['password']);
function pad($data, $size) {
$length = $size - strlen($data) % $size;
return $data . str_repeat(chr($length), $length);
}
function unpad($data) {
return substr($data, 0, -ord($data[strlen($data) - 1]));
}
function encrypt($data) {
$key = "SiadajerSiadajer";
$iv_size = 16;
$iv = openssl_random_pseudo_bytes($iv_size, $strong);
$encryptedData = openssl_encrypt(pad($data, 16), 'AES-256-CBC', $key, OPENSSL_RAW_DATA, $iv);
$joinedData = hex2bin(bin2hex($iv).bin2hex($encryptedData));
$encodedJoinedData = base64_encode($joinedData);
return $encodedJoinedData."
";
}
function encrypt2($data) {
$hashed = md5($data);
return $hashed;
}
$password2 = encrypt2($password2);
echo $password2;
echo $lname;
$stmt3 = mysqli_stmt_init($connect);
$query4 = "
SELECT standard_name FROM standard
WHERE standard_password = ?
";
if(!mysqli_stmt_prepare($stmt3, $query4)){
echo "Failed to authenticate";
} else {
mysqli_stmt_bind_param($stmt3, "s", $password2);
mysqli_stmt_execute($stmt3);
$result = mysqli_stmt_get_result($stmt3); }
while($row = mysqli_fetch_object($result)){
$email = $row->standard_name;
}
$emaildecrypted = decrypt($email);
if($emaildecrypted === $lname){
echo "authentication successful"
} else {
$stmt4 = mysqli_stmt_init($connect);
$query5 = "
SELECT standard_name FROM standard
WHERE standard_password = ? BUT NOT WHERE standard_name = ?
";
if(!mysqli_stmt_prepare($stmt4, $query5)){
echo "Failed to authenticate";
} else {
mysqli_stmt_bind_param($stmt4, "ss", $password2, $email);
mysqli_stmt_execute($stmt4);
$result = mysqli_stmt_get_result($stmt4); }
while($row = mysqli_fetch_object($result)){
$email2 = $row->standard_name;
}
}
$emaildecrypted2 = decrypt($email2);
if($emaildecrypted === $lname){
echo "authentication successful"
}