Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

I can't compare password from my database and the one inputted

Tags:

php

I am using php crypt function to make a password secure, but when I try and compare a password entered to a one in the database it will not work.

here is my code to create the password in the first place:

$crypt_password = crypt($_POST['confirm-password']);

here is me trying to compare to the password in another function:

$input_crypt_password = crypt($_POST['input-pw']);

if ($input_crypt_password == $dbpassword){
    // do change password function
}

This is not working.

when i print both passwords the are different.

why are the passwords different even though I am entering the same password and using crypt function on both?

can anyone point me in the right direction?

like image 574
dev_py_uk Avatar asked Dec 14 '16 11:12

dev_py_uk


2 Answers

From the docs

Example #1 crypt() examples

<?php
$hashed_password = crypt('mypassword'); // let the salt be automatically generated

/* You should pass the entire results of crypt() as the salt for comparing a
   password, to avoid problems when different hashing algorithms are used. (As
   it says above, standard DES-based password hashing uses a 2-character salt,
   but MD5-based hashing uses 12.) */
if (hash_equals($hashed_password, crypt($user_input, $hashed_password))) {
   echo "Password verified!";
}
?>

The code in the question will effectively generate a new hash every time it's called - the existing password hash needs to be passed as the salt to get a consistent result.

As also mentioned in the docs:

Use of password_hash() is encouraged.

I'd go further and say you definitely should be using password_hash instead of calling crypt for password usage (assuming php >= 5.5); in any case though for whichever whatever tools/methods you're using - please read the docs to know how to use them.

like image 184
AD7six Avatar answered Sep 20 '22 00:09

AD7six


Don't use crypt directly for passwords.

If you have PHP 5.5+, than use the built in password_hash function, otherwise if you have PHP 5.3.7+ use the polyfill for this function.

like image 38
Ron Dadon Avatar answered Sep 22 '22 00:09

Ron Dadon