Generating dynamic PHP

Question

I have a problem generating Bcrypt passwords. Instead of typing them manual in the hash variable and if statement I would like to generate them in forms HTML. I am not sure how to do that.

    <?php
/*in the if statment make sure that the password is the same as in hash variable*/
$options = array('cost' => 12);
echo "Bcrypt: ";
echo $hash = password_hash("yourpassword", PASSWORD_BCRYPT, $options);
echo "<br>";
echo "Verify now:<br>";
if (password_verify('yourpassword', $hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}


?>
<p>Please enter a value to encrypt!</p>
<form action="invite.php">
  Key:<br>
  <input type="text" name="firstname"><br>
  <input type="submit" value="Submit">



</form>

Answer 1

I'll make an attempt at answering this and if this is what the question's about.

You can assign a variable to a POST array (and using a post method for the form) to be passed as the first parameter for both functions, and check if it's not empty and using isset() against a named input/submit.

N.B.: The code below was written to be used inside the same file, as I used action="". If you intend on using this in two separate files, then by all means change the action to the filename used for it.

<?php 

/*in the if statment make sure that the password is the same as in hash variable*/
$options = array('cost' => 12);
echo "Bcrypt: ";

if(isset($_POST['submit'])){

    if(!empty($_POST['firstname'])){

        $their_input = $_POST['firstname'];

            echo $hash = password_hash($their_input, PASSWORD_BCRYPT, $options);

            echo "<br>";
            echo "Verify now:<br>";


            if (password_verify($their_input, $hash)) {
                echo 'Password is valid!';
            } else {
                echo 'Invalid password.';
            }

    }
    else{
       echo "You left this empty.";
    }

}

?>

<p>Please enter a value to hash!</p>
<form action="" method="post">
  Key:<br>
  <input type="text" name="firstname"><br>
  <input type="submit" name="submit" value="Submit">

</form>

Sidenote: If this is intended for passwords, then you should change the input type to "password" instead of "text".

If you later want to use this as a login system, then have a look at one of ircmaxell's answers https://stackoverflow.com/a/29778421/

If uses PDO and with a prepared statement.

Pulled from his answer:

Just use a library. Seriously. They exist for a reason.

• PHP 5.5+: use password_hash()
• PHP 5.3.7+: use password-compat (a compatibility pack for above)
• All others: use phpass

Don't do it yourself. If you're creating your own salt, YOU'RE DOING IT WRONG. You should be using a library that handles that for you.

$dbh = new PDO(...);

$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$hash = password_hash($password, PASSWORD_DEFAULT);

$stmt = $dbh->prepare("insert into users set username=?, email=?, password=?");
$stmt->execute([$username, $email, $hash]);

And on login:

$sql = "SELECT * FROM users WHERE username = ?";
$stmt = $dbh->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
    if (password_verify($_POST['password'], $users[0]->password) {
        // valid login
    } else {
        // invalid password
    }
} else {
    // invalid username
}

---

Important sidenote about column length:

If and when you do decide to use password_hash() or the compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). The manual suggests a length of 255.

You will need to ALTER your column's length and start over with a new hash in order for it to take effect. Otherwise, MySQL will fail silently.