CODEWITHSUNDEEP
php
Anne Rebb
Anne Rebb

Reputation: 305

How to check if two hashes is equal using OO

I would like to make a check to see if the two hashes are the same, and then add the same ones in the database, that is, if the password is the same as the confirmation password, then the user can register
I tried to use the comparison operator == and the password_verify method, but none of them return true if the password hashes are the same

What can I do to verify that the two password hashes are the same and then be able to add them to the database?

<?php


class SignUp {

    private $email;
    private $password;
    private $password2;


    public function setEmail($e) {
        $this->email = $e;
    }

    public function getEmail() {
        return $this->email;
    }

    public function setPassword($p) {
        $this->password = password_hash($p, PASSWORD_BCRYPT);
    }

    public function getPasswordHash() {
        return $this->password;
    }

    public function setPassword2($p2) {
        $this->password2 = password_hash($p2, PASSWORD_BCRYPT);
    }

    public function getPasswordHash2() {
        return $this->password2;
    }

    public function CheckHashes() {
        if($this->getPasswordHash() == $this->getPasswordHash2()) {
            echo 'This is true'; //Insert into the database
        }
        else {
            echo 'This is false';
        }
        echo "\n";
        if(password_verify($this->getPasswordHash(), $this->getPasswordHash2())) {
            echo 'True'; //Insert into the database
        }
        else {
            echo 'False';
        }
    }
}

$obj = new SignUp();
$obj->setEmail('email');
$obj->setPassword('string');
$obj->setPassword2('string');
echo $obj->CheckHashes();

Upvotes: 0

Views: 176

Answers (1)

&#193;lvaro Gonz&#225;lez
&#193;lvaro Gonz&#225;lez

Reputation: 146460

Getting a completely different result every time you invoke password_hash() with the same plain password is entirely intentional and a very important security measure. It's a defence against pre-computed hash attacks (rainbow tables) and it also mitigates data leaks.

Validating that user has typed the password correctly doesn't need any cryptographic tools. Good old === operator on plain passwords should be enough for most usages.

public function setPassword($password, $confirm) {
    if ($password === $confirm) {
        $this->password = password_hash($password, PASSWORD_BCRYPT);
    } else {
        // Handle input error here
    }
}

Upvotes: 2

Related Questions