CODEWITHSUNDEEP
php
user3205214
user3205214

Reputation: 65

How to verify hashed password when a user logs in

Can someone please tell me how i am suppose to verify a hashed password when someone is logging in?

here is my registration code:

$db_password = password_hash($password, PASSWORD_DEFAULT);

// Enter info into the Database.
$info2 = htmlspecialchars($info);
$sql = mysql_query("INSERT INTO users 
                   (first_name, last_name, email_address, username, password, signup_date)
                    VALUES('$first_name', '$last_name', 
                           '$email_address', '$username',
                           '$db_password', now())") 
                 or die (mysql_error());

this is my check user code run at login . . 

$hash = password_hash($password, PASSWORD_DEFAULT);

// check if the user info validates the db
$sql = mysql_query("SELECT * 
                    FROM users 
                    WHERE username='$username' 
                      AND password='$hash' 
                      AND activated='1'");
$login_check = mysql_num_rows($sql);

i can not figure it out.

Upvotes: 0

Views: 147

Answers (2)

A l w a y s S u n n y
A l w a y s S u n n y

Reputation: 38502

No need to password hashing again at login time, Use simply password_verify() function to verify your stored password & given password at login moment. See more about Password Hashing API here http://php.net/manual/en/ref.password.php

For now Try like this,

 <?php
    // this is the example hashed password that you have to select from Database.
    $hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';

    if (password_verify('password_given_at_login', $hash)) {
        echo 'Password is valid!';
    } else {
        echo 'Invalid password.';
    }
    ?>

Upvotes: 0

Kevin Nelson
Kevin Nelson

Reputation: 7663

Your verification is wrong...you are hashing the password all over again, which will result in a brand-new salt...thus a completely different hash value. When passwords are hashed (correctly), they use a salt (random string) that is sufficiently long to prevent a rainbow attack. password_hash is doing all of this behind the scenes for you.

However, this means you have to make sure to use the same salt in order to verify the password by storing it along with the hash. In the case of the code you are using, it's doing this part for you and the salt is the prefix of the result of password_hash.

When the user logs in, you need to do:

if( password_verify($loginPasswordText, $hashStoredInDb) ) {
    //SUCCESS
}

Upvotes: 2

Related Questions