I´m not very familiar with security, therefore I rely on what I find on the internet. I found a site of someone who explains a bit what he does and how his method works. People may copy-paste it to ease things up. Though I do understand quite a lot, I couldn't come up with it myself (I'm pretty new to PHP/XHTML, etc.)
The website: How to store safely with PHP and MySQL
He uses PDO in his tutorial. And I am able to store the information in the database. But when I try to use the script in which he provides the code for actually logging in, though it seems it contains errors.
I've worked everything out and everything works fine, but the comparison of the hashed password with the inserted password (with the hash, etc.) does not work properly.
What is going on here?
Thanks in advance!
EDIT
People have been asking for the code so, here it is:
session_start();
require('config.php');
// Setting up a connection
$MyConnection = new PDO('mysql:host=*;dbname=*', $dbuser, $pass);
// Retrieving information from form.
$username = $_POST['username'];
$password = $_POST['password'];
$sth = $MyConnection->prepare("SELECT * FROM AMP_Users WHERE Username = :username LIMIT 1");
$sth->bindParam(':username', $username);
$sth->execute();
$user = $sth->fetch(PDO::FETCH_OBJ);
// Hashing the password with its hash as the salt returns the same hash
if (crypt($password, $user->hash) == $user->hash) {
echo 'You are now logged in. If we actually used sessions this time.';
}
I will add a $_SESSION['name'] = $username, once the code starts to work. Until now I simply echo out if it worked out or not. And it doesn't show anything, so it doesn't work.
SECOND EDIT
Just as a quick update, the script provided by me, is the WHOLE script. Nothing is let out. (Except names of databases, etc.) Therefore I wonder if the problem may be that I don't use the hashing script of the saving the passwords into the database. Though I have put it in, it still doesn't respond. Am I still doing something wrong?
