PHP password_hash (), password_verify ()

Question

PHP password_hash (), password_verify ()

My registration script accepts the user password, then uses the PHP password_hash function to encrypt the password, and then puts it in the database. When I go to the login using the just created user, I get an error that checks if the passwords match or not. In my case, this is not the case. What am I doing wrong when I make a call to the password_verify function in the login script?

Register

if($_SERVER["REQUEST_METHOD"] == "POST"){ function secure($data){ $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return($data); } $p_num = secure($_POST["p_number"]); $first_name = secure($_POST["first_name"]); $last_name = secure($_POST["last_name"]); $email = secure($_POST["email"]); $password = secure($_POST["pw"]); $verify_password = secure($_POST["pw_verify"]); $program = secure($_POST["program"]); $role = secure($_POST["role"]); $logged_in = 0; $registered = 0; $image = "../images/profile_placeholder.png"; if($password != $verify_password){ echo "Nope. Passwords"; } else{ $registered = 1; $password = password_hash($password, PASSWORD_DEFAULT); $insert = "INSERT INTO `$user_table`(`user_id`, `first_name`, `last_name`, `password`, `image`, `email`, `program`, `role`, `logged_in`, `registered`) VALUES('" .$p_num ."', '" .$first_name ."', '" .$last_name ."', '" .$password ."', '" .$image ."', '" .$email ."', '" .$program ."', '" .$role ."', '" .$logged_in ."', '" .$registered ."')"; $query = mysqli_query($connect, $insert); echo "Success!"; } }

ENTRANCE

 if($_SERVER["REQUEST_METHOD"] == "POST"){ $p_num = $_POST["username"]; $pwd = $_POST["password"]; $query = "SELECT * FROM `$user_table` WHERE `user_id` = '$p_num'"; $result = mysqli_query($connect, $query); while($row = mysqli_fetch_assoc($result)){ $user_id = "{$row['user_id']}"; $first_name = "{$row['first_name']}"; $last_name = "{$row['last_name']}"; $user_name = $first_name ." " .$last_name; $password = "{$row['password']}"; $image = "{$row['image']}"; $email = "{$row['email']}"; $program = "{$row['program']}"; $role = "{$row['role']}"; $status = "{$row['logged_in']}"; $registered = "{$row['registered']}"; if(($user_id == $p_num) && (password_verify($pwd, $password))){ $_SESSION["id"] = $user_id; $_SESSION["user"] = $user_name; $_SESSION["program"] = $program; $_SESSION["pass"] = $password; $_SESSION["image"] = $image; $_SESSION["email"] = $email; $_SESSION["role"] = $role; $_SESSION["status"] = $status; $_SESSION["registered"] = $registered; $loggedin = "UPDATE `$user_table` SET `logged_in` = 1 WHERE `user_id` = '$user_id'"; } var_dump($pwd); var_dump($password); }

Here is what I get when I do var_dump:

 string(1) "1" string(16) "$2y$10$0aysCso3b"

Thus, the passwords do not match. So, when registering a script, the password is hashed and sent to the database. Then, when the user goes to the login, the login script looks at the password that the user entered to log into the system, and then checks for the hashed password in the database using password_verify. However, a hashed password does not accept an invalid password as a match. What I do not understand why?

+6

php php-password-hash

user3542456 Oct 23 '14 at 19:54

source share

2 answers

Friends, because we use a unique username to log in, so we need to get the password / data from the database using only the username.

Example:

 <?php $connect = mysqli_connect($localhost, $username, $pwd, $database) or die("Opps some thing went wrong"); if (isset($_POST['submit'])) { extract($_POST); // Get Old Password from Database which is having unique userName $sqlQuery = mysqli_query($connect, "select * from loginTable where User='$username'"); $res = mysqli_fetch_array($sqlQuery); $current_password = $res['userPassword']; if (password_verify($enteredPassword, $current_password)) { /* If Password is valid!! */ $_SESSION['id'] = $res['id']; header("location: home.php"); } else { /* If Invalid password Entered */ $alt = "Login Failed! Wrong user ID or Password"; header("location: index.php?m=$alt"); } } ?>

This works for me ... I get the password from the database and compare it with the entered password Using the PHP API, i.e. password_verify ($ signedPassword, $ current_password)

+1

Irshad khan Mar 2 '16 at 10:15

source share

Funk forty niner · Accepted Answer · 2014-10-24T01:16:33+0000

Here is what I use for password_hash and password_verify . Try this as written, after which you can start adding the rest of your code.

Change the names of the tables and columns to match.

NB: This is the basic insertion method. I offer you prepared statements instead.

Sidenote: The password column must be long enough to accommodate the VARCHAR(255) hash. Refer to the Footnotes.

INSERT file

 <?php $DB_HOST = 'xxx'; $DB_USER = 'xxx'; $DB_PASS = 'xxx'; $DB_NAME = 'xxx'; $conn = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME); if($conn->connect_errno > 0) { die('Connection failed [' . $conn->connect_error . ']'); } $password = "rasmuslerdorf"; $first_name = "john"; $password = password_hash($password, PASSWORD_DEFAULT); $sql = "INSERT INTO users (`name`, `password`) VALUES ('" .$first_name ."', '" .$password ."')"; $query = mysqli_query($conn, $sql); if($query) { echo "Success!"; } else{ // echo "Error"; die('There was an error running the query [' . $conn->error . ']'); }

INPUT file

 <?php // session_start(); $DB_HOST = 'xxx'; $DB_USER = 'xxx'; $DB_PASS = 'xxx'; $DB_NAME = 'xxx'; $conn = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME); if($conn->connect_errno > 0) { die('Connection failed [' . $conn->connect_error . ']'); } $pwd = "rasmuslerdorf"; $first_name = "john"; //$sql = "SELECT * FROM users WHERE id = 1"; $sql = "SELECT * FROM users WHERE name='$first_name'"; $result = $conn->query($sql); if ($result->num_rows === 1) { $row = $result->fetch_array(MYSQLI_ASSOC); if (password_verify($pwd, $row['password'])) { //Password matches, so create the session // $_SESSION['user'] = $row['user_id']; // header("Location: http://www.example.com/logged_in.php"); echo "Match"; }else{ echo "The username or password do not match"; } } mysqli_close($conn);

Footnote:

The password column must be long enough to hold the hash. 72 long is that the hash creates the length of the character, however the manual suggests 255.

Link:

http://php.net/manual/en/function.password-hash.php

"Use the bcrypt algorithm (default is PHP 5.5.0). Please note that this constant changes over time, as newer and stronger algorithms are added to PHP. For this reason, the length of the result from using this identifier may change over time, therefore it is recommended save the result in a database column that can expand up to 60 characters (255 characters would be a good choice).

PHP password_hash (), password_verify ()

More articles: