11

In my Login PHP file I have these

$passwordInput = password_hash($passInput, PASSWORD_BCRYPT); $passwordVerify = password_verify($userInput, $passwordInput);

And in my Register PHP file I have this.

$passwordSign = password_hash($passSign, PASSWORD_BCRYPT);

Now, essentially I make it so it hashes the password and inserts itself into the database on signup. WHICH IT DOES.

However, it cannot verify it. Both results give 2 different hashes and I don't know what I'm possibly doing wrong. I also tried just making it hash the input again and checking the password_hash in the database but that didn't work..

What is the proper way of using these?

( Also, $passSign and $userInput are the input fields and it does get the username/password )

Improve this question
2
  • Are you sure the variable names are correct? Specially $passInput and $userInput ? Commented Mar 9, 2015 at 6:43
  • Instead of deleting the original question's body after figured out the solution, please add your solution as answer to help others. Commented Mar 9, 2015 at 7:05

1 Answer 1

Reset to default
19

On signup you get the password from the user input and generate its has using password_hash():

$hash = password_hash($_POST['password'], PASSWORD_BCRYPT);

You can provide it a custom salt to use, in a third parameter, but the documentation recommends to not do this:

Caution It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one.

You save this hash in the database. Make sure you put it in a CHAR/VARCHAR field of 60 characters or longer.

When the user wants to log in you check the password they input against the hash previously saved using password_verify():

$auth = password_verify($_POST['password'], $hash);

Of course, you get the correct value of $hash from the database, searching by the provided username.

If $auth is TRUE then the provided password matches its hash computed on the registration and the user is authenticated.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

How would you perform a db lookup of a user account, assuming that you have the fields 'user_name' and 'user_pass' in the database.Assume hundreds of users, with unique 'user_name' (unique checked during user registration). You can't lookup by condition of user_name and user_pass. You can't use password_verify because you don't know the right record to select (assume that there might be duplicate passwords but each has a different user_name). So do you have to query for user_name, then loop through 1+ results to check for password_verify? Thanks.
You said in the second sentence: "Assume hundreds of users, with unique 'user_name'". When you search by 'user_name' you either find one record in the database or you don't find any. Create an UNIQUE INDEX on the 'user_name' column in the database to help it run fast and to enforce the uniqueness.
The docs recommend storing the hash in a 255-length varchar field, because the algorithm can change in future PHP versions without notice.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.