/** * Logins the user * @return null on success and string containing error message on error. */ public function login() { session_start(); $sql = SqlConnect::getInstance(); $result = $sql->runQuery("SELECT admin, member_id, pass_hash, salt FROM Member where player_tag = '" . $this->player_tag . "';"); if ($result->num_rows == 0) { return "Username does not exist."; } $row = $result->fetch_assoc(); $hash = $row["pass_hash"]; $salt = $row["salt"]; $this->id = $row["member_id"]; $admin = $row["admin"]; echo $admin; // verify that password matches with stored password $success = authUtil::verifyPass(HASHALGO, $hash, $salt, $this->player_tag, $this->password); if ($success) { $_SESSION["id"] = $this->id; $_SESSION["player_tag"] = $this->player_tag; $_SESSION["admin"] = $admin; return NULL; } else { return "Username and password did not match."; } }
/** * * @return true if the hash password matches with the hash for the username and password * */ public static function verifyPass($algo, $hash, $salt, $username, $password) { $attempt = authUtil::makePassHash($algo, $salt, $username, $password); // Slow equals, so check functions in linear time (more secure than traditional equals) // Checks if the same size (continues to check equality anyway, for constant time) $diff = strlen($hash) ^ strlen($attempt); // Iterates through every character and OR's the XOR'ed value of both string's characters at that iterative point for ($i = 0; $i < strlen($hash) && $i < strlen($attempt); $i++) { $diff |= ord($hash[$i]) ^ ord($attempt[$i]); } // Return whether or not the strings are different return $diff === 0; }