Encrypted password becomes invalid

Question

I have an encrypted password in the database which i am trying to retreive:

Model:

function get_user($usr, $pwd)
     {
         $encriptKey = 'super-secret-key';
         $sql = "
           select * from user
           where username = '" . $usr . "' and
           password = '". $this->encrypt->decode($pwd,$encriptKey) . "'
         ";
         $query = $this->db->query($sql);
         return $query->num_rows();
     }

and in the controller i have:

$username = $this->input->post("txt_username");
$password = $this->input->post('txt_password');     

$usr_result = $this->account_model->get_user($username, $password);

if ($usr_result > 0) //active user record is present
    {
        //login
    }

Why is the password still invalid?

Answer 1

Since you asked me I am submitting this as an answer also.

The first thing to notice would be that generally if you were to store a secret value in the database and at a later time check if something matches it the way to do it would be to store the encryption and compare a plain value encrypted the same way with what you have stored. I am saying this because it seems that you are trying to decode something received as a parameter and compare it to what you have in your table.

In addition, since this is about a password, in general it is a better and safer approach to hash the values, not to encrypt them. You can also make it so that the exact same password, won't be hashed in the same way twice, and this would add another layer of security.

I don't think it's a good idea for me to copy&paste good ways to hash passwords in PHP, so I'll just reference some other questions you can find on this page in the "Related" sidebar:

• Best way to use PHP to encrypt and decrypt passwords?
• How do you use bcrypt for hashing passwords in PHP?