CODEWITHSUNDEEP
php
ToExeCute
ToExeCute

Reputation: 71

PHP password_hash how to check?

I try a new function of PHP called "password_hash". I want to have just one password to check if it's equal to the static password. If the password equal then I want to go to the other page.

This is the code how I try it:

    $gen_pass  =    password_hash("test", PASSWORD_DEFAULT);
    if(isset($_POST["submit_verify"]))
    {
         $pass_verify = filter_var($_POST["pass_verify"], 
         FILTER_SANITIZE_SPECIAL_CHARS);
         if($pass_verify)
         {
             if(password_verify($pass_verify, $gen_pass))
                echo "<h1>SUCCESS</h1>";

             else 
                header("location: ../index");
        }
    else $error_msg     =   "Error!";
}

But when I try it then the site are refreshing and nothing happens. And when I write in the input the wrong password then I'm successful on the index.php page.

Upvotes: 1

Views: 560

Answers (1)

Blinkydamo
Blinkydamo

Reputation: 1584

$options  = [ 'cost' => 12 ];
$gen_pass = password_hash( "test", PASSWORD_BCRYPT, $options );
    if(isset($_POST["submit_verify"]))
    {
         if( password_verify( $_POST[ "submit_verify" ], $gen_pass ) )
         {
                if( password_needs_rehash( 'password_from_database', PASSWORD_BCRYPT, $this->cost ) )
                {
                  $new_hashed_password = password_hash( "new_password", PASSWORD_BCRYPT, $options );
                  // Run and update script to update the password in the database
                }
                echo "<h1>SUCCESS</h1>";
         }
         else 
         {             
                header("location: ../index");
         }
    }

From what I can tell using $pass_verify = filter_var($_POST["pass_verify"], FILTER_SANITIZE_SPECIAL_CHARS); will remove and replace <> and & what happens if the password contains those characters?

To determine your optimal cost you could use a function like this, the returned number is the cost value to use for the amount of time it takes. Change the $min_ms to however long you want and it will provide a cost for you. This is taken from the PHP password_hash page.

function getOptimalBcryptCostParameter($min_ms = 1000) {
    for ($i = 4; $i < 31; $i++) {
        $options = [ 'cost' => $i ];
        $time_start = microtime(true);
        password_hash("PASSWORD_HERE", PASSWORD_BCRYPT, $options);
        $time_end = microtime(true);
        echo "Time to hash: ".($time_end - $time_start).' with a  cost of '.$i.'<br>';
        if (($time_end - $time_start) * 1000 > $min_ms) {
            return $i;
        }
    }
}
echo getOptimalBcryptCostParameter(); // prints 12 in my case

Upvotes: 2

Related Questions