CODEWITHSUNDEEP
phppasswords
Canberk Benning
Canberk Benning

Reputation: 38

password_verify - password hashing

I am testing different ways to encrypt passwords and I have used the majority of ways except I am confused on the password_verify function for the script I am using and how I could implement it within a script(Look below). This script involves signing up and logging in etc. The script successfully hashes the password with this line of code below.

$passwordhash = password_hash($p, PASSWORD_DEFAULT);

(from signup)

but when I try to use password verify in my login script it does not work. So my question is how can i use the password_verify function in the code below.

<?php
//this is executed on another page
if(isset($_POST["e"])){
    // Connect to db
    include_once("databaseconnection.php");
    //gather posted and sanitize
    $e = mysqli_real_escape_string($db_conx, $_POST['e']);
    $p = ($_POST['p']);
    //user ip
    $ip = preg_replace('#[^0-9.]#', '', getenv('REMOTE_ADDR'));
    // FORM DATA ERROR HANDLING
    if($e == "" || $p == ""){
        echo "login_failed";
        exit();
    } else {
    //data error handling end
        $sql = "SELECT id, username, password FROM users WHERE email='$e' AND activated='1' LIMIT 1";
        $query = mysqli_query($db_conx, $sql);
        $row = mysqli_fetch_row($query);
        $db_id = $row[0];
        $db_username = $row[1];
        $db_pass_str = $row[2];
        if($p != $db_pass_str){
            echo "login_failed";
            exit();
        } else {
            //create session cookies
            $_SESSION['userid'] = $db_id;
            $_SESSION['username'] = $db_username;
            $_SESSION['password'] = $db_pass_str;
            setcookie("id", $db_id, strtotime( '+30 days' ), "/", "", "", TRUE);
            setcookie("user", $db_username, strtotime( '+30 days' ), "/", "", "", TRUE);
            setcookie("pass", $db_pass_str, strtotime( '+30 days' ), "/", "", "", TRUE); 
            //update certain fields ip, last login time
            $sql = "UPDATE users SET ip='$ip', lastlogin=now() WHERE username='$db_username' LIMIT 1";
            $query = mysqli_query($db_conx, $sql);
            echo $db_username;
            exit();
        }
    }
    exit();
}
?>

(I tried, and failed, with this code using the password_verify funcion)

$p = password_verify( $_POST['p'], $passwordhash );

Sorry if this is hard to understand but it will be very much appreciated if I someone could help :-)

Upvotes: 2

Views: 416

Answers (2)

Trevor Brown
Trevor Brown

Reputation: 169

You have this:

$p = ($_POST['p']);

but then nothing is done to change $p before this:

if($p != $db_pass_str){

Thinking of what is typical, it's atypical for the hashing to be done client side and atypical for the database to store the password in plain text, so my best guess is that the form is passing an unhashed password and the database is storing a hashed password. Leading to the second quoted line failing unless you were to enter the password hash in the login form.

If that is not the problem, then perhaps post some additional context.

Upvotes: 0

nyxthulhu
nyxthulhu

Reputation: 9752

Assuming the password you are storing in the DB is already hashed the problem your having is that you just can't verify the password since you are comparing a plain text password against a hashed code.

I believe changing 

if($p != $db_pass_str){
        echo "login_failed";
        exit();
    }

to 

if(!password_verify($p, $db_pass_str)) {
       echo "login_failed";
        exit();
}

Should fix your problem, have a look at the password_hash and the password_verify

Upvotes: 3

Related Questions