partially #38: salt+hash pw then store in DB

torbengb · Sep 18, 2021 · abe1fa2 · abe1fa2
1 parent d19188e
commit abe1fa2
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 4 deletions.
diff --git a/common/footer.php b/common/footer.php
@@ -42,8 +42,8 @@
             <?php endforeach; ?>
         </select>
     </label>
+    <button style="float: left;" class="button submit" type="submit" name="logout" value="logout">Log out!</button> &nbsp;
     <button class="button submit" type="submit" name="login" value="login">Switch!</button>
-    <button style="float: right;" class="button submit" type="submit" name="logout" value="logout">Log out!</button>
 </form>
 </body>
 </html>
diff --git a/database/taxonomy.sql b/database/taxonomy.sql
@@ -8,7 +8,7 @@ CREATE TABLE IF NOT EXISTS taxonomy (
   created TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
   modified TIMESTAMP NULL DEFAULT NULL,
   deleted TIMESTAMP NULL DEFAULT NULL COMMENT 'treat as deleted when value is not zero',
-  name VARCHAR(50) NOT NULL COMMENT 'name of the taxonomy',
+  name VARCHAR(50) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'name of the taxonomy',
   parent INT(11) DEFAULT 0 COMMENT 'taxonomy.id of the parent of this taxonomy, or zero for top level'
 );
 

diff --git a/database/users.sql b/database/users.sql
@@ -4,6 +4,7 @@ CREATE TABLE IF NOT EXISTS users (
   modified TIMESTAMP NULL DEFAULT NULL,
   deleted TIMESTAMP NULL DEFAULT NULL COMMENT 'treat as deleted when value is not zero',
   username VARCHAR(30) NOT NULL COMMENT 'screen name of user',
+  hashedpassword VARCHAR(60) NOT NULL COMMENT 'hashed password',
   email VARCHAR(50) NOT NULL COMMENT 'obvious',
   firstname VARCHAR(50) COMMENT 'obvious',
   lastname VARCHAR(50) COMMENT 'obvious',

diff --git a/profile/index.php b/profile/index.php
@@ -158,4 +158,8 @@
     <blockquote class="warning">You are not logged in. <a href="/profile/login.php">Login</a> or <a href="/profile/login.php?action=register">register!</a></blockquote>
 <?php endif; ?>
 
+<?php
+var_dump(password_verify($password, $hashed_password));
+?>
+
 <?php require "../common/footer.php"; ?>
diff --git a/profile/login.php b/profile/login.php
@@ -31,12 +31,17 @@
 
 	<h2>Register || <a href="login.php">Login instead?</a></h2>
 
-	<form method="post" action="profile-created.php">
+    <p>🔒 Your data is secure with us. In technical terms, all persnoal information is "hashed using a salt" before it is stored in the database. In layman's terms, nobody can read your information.</p>
+
+	<form method="post"  action="profile-created.php">
 		<input type="hidden" name="csrf" value="<?php echo escape($_SESSION['csrf']); ?>">
 
 		<label class="label" for="username">User name
 			<input class="input" type="text" name="username" id="username">
 			<span class="formhint">This is the only name we will show other users.</span> </label>
+		<label class="label" for="password">Password
+			<input class="input" type="password" name="password" id="password">
+			<span class="formhint">Be safe: don't reuse password! May we recommend using a password manager?</span> </label>
 		<label class="label" for="email">Email address
 			<input class="input" type="text" name="email" id="email">
 			<span class="formhint">We use this to validate your account, and to send you information about loans and requests.</span></label>

diff --git a/profile/profile-created.php b/profile/profile-created.php
@@ -8,7 +8,7 @@
 	}
 	try { // create the record:
 		$timestamp = date("Y-m-d H:i:s");
-		$record    = ["created" => $timestamp, "username" => $_POST['username'], "email" => $_POST['email'], "firstname" => $_POST['firstname'], "lastname" => $_POST['lastname'], "phone" => $_POST['phone'], "addr_country" => $_POST['addr_country'], "addr_region" => $_POST['addr_region'], "addr_city" => $_POST['addr_city'], "addr_zip" => $_POST['addr_zip'], "addr_street" => $_POST['addr_street'], "addr_number" => $_POST['addr_number'], "privatenotes" => $_POST['privatenotes'], "publicnotes" => $_POST['publicnotes']];
+		$record    = ["created" => $timestamp, "username" => $_POST['username'], "hashedpassword" => password_hash($_POST['password'], PASSWORD_DEFAULT), "email" => $_POST['email'], "firstname" => $_POST['firstname'], "lastname" => $_POST['lastname'], "phone" => $_POST['phone'], "addr_country" => $_POST['addr_country'], "addr_region" => $_POST['addr_region'], "addr_city" => $_POST['addr_city'], "addr_zip" => $_POST['addr_zip'], "addr_street" => $_POST['addr_street'], "addr_number" => $_POST['addr_number'], "privatenotes" => $_POST['privatenotes'], "publicnotes" => $_POST['publicnotes']];
 		$sql       = sprintf("INSERT INTO %s (%s) VALUES (%s)", "users", implode(", ", array_keys($record)), ":" . implode(", :", array_keys($record)));
 		$statement = $connection->prepare($sql);
 		$statement->execute($record);