how to call encrypted Password PHP to Android Mysql

Question

my login activity cannot read encrypted Password i tried without encrypted password and it works and im not sure if the error from php or activity itself of how to decryption password

im Using PASSWORD_BCRYPT

---

   <?php
     include "conn.php";



     $Email = $_POST['Email'];
    $Password = $_POST['Password'];


    $sql_login = "SELECT * FROM users WHERE Email = :EMAIL and Password =:PASSWORD";
    $stmt = $PDO->prepare($sql_login);
    $stmt->bindParam(':EMAIL', $Email);
    $stmt->bindParam(':PASSWORD', $Password);
    $stmt->execute();

    if ($stmt->rowCount() > 0) {

    $returnApp = array('LOGIN' => 'SUCCESS');

    echo json_encode($returnApp);

    }else{

    $returnApp = array( 'LOGIN' => 'FAILED');

    echo json_encode($returnApp);

    }



    ?>

Answer 1

To correctly use hashing of a password in PHP, use the password_hash and password_verify combination.

When a user signs up, you get his password, hash it and store it in the database:

$hash = password_hash($_POST['newpassword'], PASSWORD_DEFAULT);
// store $hash in database column "password"

When this user wants to login, you check against the hash:

// fetch hash from database, store it in $stored_hash
$logged_in = password_verify($_POST['password'], $stored_hash);
if ($logged_in === TRUE) {
    echo "Welcome!";
} else {
    echo "Username or password incorrect.";
}

Final notes:

1. Use PASSWORD_DEFAULT and make sure your database can store the result (also in the future). Hashing algorithms happen to get cracked once in a while.
2. You could use another provider like Google or Facebook to handle your authentication. This does have its drawbacks as well though.