+ 1

PHP hashing - Why does it behave like that?

Hello. I recently coded a login system including a mail verification system. For that, I'm generating a unique and random 256 characters long verification code that is being added as a $_GET superglobal to the verify.php. That link is sent to the user's email. The verification codes look something like that: 6sA9BJBLwgKanwiWKOCaYxNFcPc3aE6vHPJ7rKA7JksfXCOXcO2XDYfkkIBOOY7pf9BdCuyHMomYvQwG1wZXKH3fpmsff4nYbz8v7Jh2ZxeRVH2BlJMLGQlZVmHP2u1fQqdJXAOZt0yXnwjGvFcNF1kcBzzlBKNuNHuDaH5cXQLzk6IvkaQAwmMXMpiFXL0kueptelmS5iYmckYJPZRsF4mBKzkkYG2CmVReOHghi98nHt44N0A6VAWpgVL4emY6 The hashes of the verification codes are stored in the database, so in case anybody gets access to the database, they wouldn't be able to confirm anybody's email. When the user clicks the link to the verify.php that has been sent by email, my PHP script checks via the password_verify() method if the $_GET variable from the email link belongs to the hash stored in the database or not. If I place any characters at the very beginning of the password, my script says that the verification code is invalid. But when I put random characters anywhere but not at the beginning of the $_GET variable and I hit enter to run the verify.php script, it successfully registers the email as verified unless it is another password than specified in the email. Why is that so? Does my code have security vulnerablities?

18th Jul 2019, 5:38 PM
Niklas
5 Respostas
+ 1
Could you post your verify.php code/message me it? It would be useful to see what's going on in order to help you out. Also, i would recommend that you switch from GET to POST, as POST isn't going to show info in the website's URL. If you choose to post the code, also make sure to not include the login credentials to your database, unless you are running it on a local environment :)
18th Jul 2019, 7:13 PM
Roolin
Roolin - avatar
+ 1
Sure, here are the .php scripts for both verify.php and register.php. I've uploaded them both in .txt format. https://web2231.web02.bero-webspace.de/loginsystem/verify.php.txt https://web2231.web02.bero-webspace.de/loginsystem/register.php.txt Are you sure that POST is the better choice in this case? I mean the user would have to open the link to the verify.php and copy the code from the email. I think that this is not very convenient. I'm aware that GET is going to show up in the address bar but that shouldn't be a problem as the verification hash stored in the database will be deleted immediately after having confirmed the email, so the link would be of no use. Please let me know whether I miss out on anything regarding security/safety. Thanks for your help!
18th Jul 2019, 9:54 PM
Niklas
+ 1
Roolin by the way, please don‘t get confused by some comments in the script that are in German.
18th Jul 2019, 9:56 PM
Niklas
0
Roolin I set my random password to a length of 32 characters instead of 256 and now I'm unable to put random characters into my generated password. Why is it possible to do this at a growing number of characters? It's the same with 128 characters. The database doesn't cut anything of the hash which is always 60 characters long.
21st Jul 2019, 9:28 PM
Niklas
0
So in fact my issue only concerns very long random passwords.
21st Jul 2019, 9:29 PM
Niklas