Hey Folks,
I just found out (be for anything went live so i am happy) that anything entered into my password field submits as the ‘right’ password weather it is or is not.
Here’s the login script
<?php
session_start();
require_once '../coreLib/config.php';
require_once '../coreLib/clean.class.php';
$clean = new clean;
$email = $clean->text($_POST['email']);
$rawPass = $clean->text($_POST['password']);
$loginquery = "SELECT COUNT(*) AS num_users FROM users WHERE email = :email";
$valuesquery = array(
'email' => $email
);
try {
$login = $pdo->prepare($loginquery);
$login->execute($valuesquery);
} catch (PDOException $e) {
$title .= "There was an error :(";
$output .= "There was an error with pdo/mysql here is the error {$e->getMessage()}";
}
$check = $login->fetch(PDO::FETCH_ASSOC);
if($check['num_users'] == 1){
$queryselectdetails = "SELECT `hash`,`name`,`password`,`id`,`level`,`farmname` FROM users WHERE email = :email";
$values = array(
'email' => $email
);
try {
$getdetails = $pdo->prepare($queryselectdetails);
$getdetails->execute($values);
} catch (PDOException $e) {
$title .= "Errors found!";
$output .= "There was a pdo/mysql error! Here are the details :: {$e->getMessage()}";
}
$details = $getdetails->fetch(PDO::FETCH_ASSOC);
$password = hash('sha256', $rawPass)."".$details['hash'];
$unhashed = hash('sha256', $rawPass);
if($password = $details['password']){
$_SESSION['name'] = $details['name'];
$_SESSION['id'] = $details['id'];
$_SESSION['level'] = $details['level'];
$_SESSION['farmname'] = $details['farmname'];
$title .= "Logged in!";
$output .= "<strong> DBPassword::</strong>" $details['password'];
$output .= "<strong> Password::</strong> " $password;
$output .= "<strong> DBHash::</strong> " $details['hash'];
$output .= "<strong>Has not added::" $unhashed;
$output .= "You have been logged in as {$_SESSION['name']}";
}
else {
$title .="Wrong Password";
$output .= "The password you entred was not correct";
}
}
else{
$tile .= "User does not exist";
$output .= "Hello there. We could not locate the email <strong>{$email}</strong> in our database";
}
?>
Now i only have this section in here
$output .= "<strong> DBPassword::</strong>" $details['password'];
$output .= "<strong> Password::</strong> " $password;
$output .= "<strong> DBHash::</strong> " $details['hash'];
$output .= "<strong>Has not added::" $unhashed;
in hopes it would have helped me de-bug it and see what was going on. But no such luck. So that well be removed as soon as i get this fixed. Everything else is working fine.
Thanks. It must be something i am missing.