Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to verify password against database?

Tags:

php

hash

I went through many articles related to this topic, such as this:

Using PHP 5.5's password_hash and password_verify function

Yet, I'm unsure if I'm hashing and salting the correct way or over doing it!

I want to use my own salt and then hash. Both salt and hashed password stored in the database in two different fields.

This is how I hash the password before storing into database

$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$salt = sprintf("$2a$%02d$", $cost) . $salt;

//shall I remove this line and replace below PASSWORD_DEFAULT  with PASSWORD_BCRYPT instead?
$password = crypt($data['password'], $salt);

$hash = password_hash($password, PASSWORD_DEFAULT);

Given that, I'm trying to verify the password as below: Somehow I feel that I'm complicating the process.

$salt=$row['salt'];//taken from db
$hashAndSalt=$row['hashpword'];//taken from db
$password="pwtester";//user keyed in password

$newpassword = crypt($password, $salt);
$newhash = password_hash($newpassword, PASSWORD_DEFAULT);


if (password_verify($password, $newhash)) {
   echo"verified";
}
else
{
    echo"Not verified"; 
}

EDITED:

Now I store like this:

$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$options = array('cost' => $cost,'salt' => $salt);
$hash = password_hash($data['password'], PASSWORD_DEFAULT,$options);

But verification confusing:

$email = "[email protected]";
$uid= '555ca83664caf';
$sql = "SELECT *FROM authsessions WHERE email =:myemail AND useruuid =:uid";

$statement = $pdo->prepare($sql);
$statement->bindValue(':myemail', $email);
$statement->bindValue(':uid', $uid);
$statement->execute();
while( $row = $statement->fetch()) {
    echo "salt ".$row['salt']."<br/><br/>";
    echo "hashpassword ".$row['hashpword'];
}

$salt=$row['salt'];
$hashAndSalt=$row['hashpword'];
$password="test55";

$newhash = password_hash($password+$salt, PASSWORD_DEFAULT);


if (password_verify($newhash, $hashAndSalt)) {
   echo"verified";
}
else
{
    echo"Not verified"; 
}

It echoes "Not Verified"

like image 626
sherly Avatar asked May 20 '15 09:05

sherly

People also ask

How do you verify that a password matches its hash?

The password_verify() function can verify that given hash matches the given password. Note that the password_hash() function can return the algorithm, cost, and salt as part of a returned hash. Therefore, all information that needs to verify a hash that includes in it.

What is the Verify password?

The VERIFY PASSWORD command allows an application to check that a password matches the password recorded by an external security manager (ESM) for a user ID, and return values recorded by the external security manager for the password.

How can I know MySQL password in php?

Then use the password_verify() function to verify the user-entered password with a hashed password like below. So the recommended approach to save and verify the password is. Use the password_hash() function to generate the one-way hashed password. Use the password_verify() function to verify the passwords.

How do I find MySQL username and password?

So for example, to show MySQL users' username, password and host, we'll modify the sql query to accordingly as such: mysql> select user, password, host from mysql. user; The above sql query will present you with a list of users and their respective user name, password and database host.

1 Answers

The function password_hash() is just a wrapper, internally it generates a cryptographically safe salt and then calls the crypt() function to calculate the BCrypt hash.

So there is no reason to do the same steps yourself (do not call crypt() and do not generate a salt). Generating your own salt is not recommended, because you cannot do it better than the password_hash function does. Also there is no reason to store the salt in a separate db column, it is already part of the resulting hash-value.

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
like image 162
martinstoeckli Avatar answered Oct 14 '22 08:10

martinstoeckli
Sign in to Comment

Related questions

PHP Laravel Facade __callStatic argument list
generate url in module and outside of module in Yii2
Generate JavaScript file with PHP when requested in HTML
Output rendered HTML as plain text
How to get all checkout fields from WooCommerce?
Setting post data with a Laravel request object
How to delete a row from a SQL table?
Display PHP Errors in IIS
With Laravel Migration, How to change data type of a column and update its existing data to fit the new data type, without using raw SQL queries?
Heroku doesn't recognize my Laravel app as PHP app, and does not do composer install
JSON schema: how to allow empty string for property with numeric type?
Guzzle HTTP request transforms from POST to GET
Laravel: saving date to MySQL
Laravel 5 on shared hosting - wrong public_path()
Mockery object argument validation issue
How to secure a php based webservice
How to use Piwik device detector in php project?
web pages with a lot of AJAX calls performance
Convert HTML code to doc using PHP and PHPWord
Redirect 302 on Laravel POST request

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!