3

Being new to programming and php but eager to learn I quickly figured out that there are so called "best" and "bad" practices. Bad practice is the use of MD5 encryption for example which I was about to learn and implement. However, I just recently learned about the relatively new password_hash() function that automates a lot (yes, I did'nt use the word alot :D) of the process of encryption such as adding salt. Correct me if im wrong though.

So here I am with a question about how to correctly use this function.

function login_check() { $connection = database(); $name = $_POST['name']; $password = $_POST['password']; $password_hash = password_hash($password, PASSWORD_DEFAULT); $query = "SELECT id FROM users WHERE name = ? AND password = ?"; $stmt = mysqli_prepare($connection, $query); mysqli_stmt_bind_param($stmt, 'ss', $name, $password); mysqli_stmt_execute($stmt); mysqli_stmt_store_result($stmt); $counter = mysqli_stmt_num_rows($stmt); if($counter > 0 && password_verify($name, $password_hash)){ $_SESSION['login'] = $name; header('location:../../index.php'); exit; } else { header('location:../../failed.php'); exit; } } if(isset($_POST['name']) && isset($_POST['password'])){ login_check(); }

So this is how far I go and to be honest Im not sure if this is even the right way. Could need your feedback. Is this ok or are there any additional things to consider to make this work?

I read that there is no need to create own salt and other hash related things anymore.

Improve this question
13
  • This is testing a password, but how did you store that password originally? Did you use password_hash() on the password you stored on the database? Sorry if this sounds like a silly question but it has to be asked! Commented Aug 26, 2015 at 9:59
  • @RiggsFolly No I didnt. Do I have to do this when the user registers? Right now my password is stored as a normal one. I set up a test user with "123" as the password. Commented Aug 26, 2015 at 10:03
  • you do password_hash() on entered password , and then password_verify() it with hash from database! Commented Aug 26, 2015 at 10:04
  • Yes of course. Otherwise your hashed password wont match the one you stored on the database Commented Aug 26, 2015 at 10:04
  • @MozzieMD is the verification process ok though? So I just need to ensure the hash is also stored in the database right? Commented Aug 26, 2015 at 10:05

3 Answers 3

Reset to default
2

Upon registration, password_hash the entered password and store the hashed password in your database.

Upon login:

  1. Fetch the hashed password from the database by the username, e.g.:

    SELECT password FROM users WHERE name = ?

  2. Verify the hashed password with the just entered password:

    if (password_verify($_POST['password'], $databaseResult['password'])) { // match }

You do not:

  • password_hash anything upon login
  • SELECT ... WHERE password = ? upon login, because you need the stored hash's random salt in order to produce the same hash again, so you cannot search for anything by hash in the database
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You need to pass $password in your password_verify() function instead of $name.

So change 

password_verify($name, $password_hash)

To

password_verify($password , $password_hash)

Note:-password_verify() Need your password and password that store in your database. Not your hashed password.

Also you need to store hashed password in your database.

And compare your password with hashed 

 mysqli_stmt_bind_param($stmt, 'ss', $name, $password_hash);
Improve this answer

6 Comments

Oh ya, misstyped there. I need to ensure I have the hashed version on the database though right? Right now I have 123 as the password
yes you need to store hashed password instead of 123. Then after your password_verify() function works
so right now im using 1) Prepared statements, 2) password_hash(), 3) I store my database credentials outside the root in a ini file. Am I missing anything?
and store hashed password in your database and match with hashed
This won't work, because $password_hash will be different each time you generate it, and no results will be fetched from DB.
|
0

General idea is to query your database by username (email), and retrieve user details with hashed password. Then, you run password_verify() with entered password and OLD hash from database. If it matches, it will return true.

I did not test code, but it should give you example how to use those functions correctly.

<?php function login_check() { $connection = database(); $name = $_POST['name']; $password = $_POST['password']; $query = "SELECT password FROM users WHERE name = ?"; $stmt = mysqli_prepare($connection, $query); mysqli_stmt_bind_param($stmt, 'ss', $name); mysqli_stmt_execute($stmt); mysqli_stmt_store_result($stmt); $counter = mysqli_stmt_num_rows($stmt); $user = mysqli_stmt_fetch($stmt); // retrieve old user password if ($counter > 0 && password_verify($name, $user['password'])) { $_SESSION['login'] = $name; header('location:../../index.php'); exit; } else { header('location:../../failed.php'); exit; } } if (isset($_POST['name']) && isset($_POST['password'])){ login_check(); }
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.