Menu
I get this assignment and until now, I was using sha1 for security. The teacher got back to us last friday and told us to use password_hash. Knowing it's for tomorrow, I tried to figure out how this works but don't wrap my head around it. I found many people talking about it but none of these worked for me: How to use password_hash Register And Login
Currently, as it was assigned, I am only using PDO and got back to my previous working code (with sha1)
<?php
ob_start();// TEST
include("inc/timer.inc.php");//session
require("inc/database.inc.php");//connection website
$title='website';
if (isset($_POST['formConnection'])) {
$loginConnection = filter_input(INPUT_POST, 'loginConnection', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
// Connection sha1- OLD
$passwordConnection = sha1($_POST['passwordConnection']);
// Connection password_hash
//$hash = $profile['password'];
//$passwordConnection = password_verify($_POST['passwordConnection'], $hash);
if (!empty(($loginConnection) AND !empty($passwordConnection))) {
$connection = $website->prepare("SELECT * FROM members WHERE login = ? AND password= ?");
$connection->execute(array($loginConnection, $passwordConnection));
$userExists = $connection->rowCount(); //Test existence et affectation à la session des valeurs
if ($userExists == 1) {
$profile = $connection->fetch();
$_SESSION['idMember'] = $profile['idMember'];
$_SESSION['login'] = $profile['login'];
$_SESSION['status'] = $profile['status'];
header("Location: member-detail.php?idMember=".$_SESSION['idMember']);
} else {
echo "<script>alert(\"Wrong login or password\")</script>";
}
} else {
echo "<script>alert(\"Please check your login or your password\")</script>";
}
}
?>
<body>
<form method="post" action="">
<div class="form-group">
<label for="loginConnection">login</label><br>
<input type="text" class="form-control" name="loginConnection" id="loginConnection"
placeholder="login" required><br><br>
</div>
<div class="form-group">
<label for="passwordConnection">password</label><br>
<input type="password" class="form-control" name="passwordConnection" id="passwordConnection"
placeholder="Mot de Passe" required><br><br>
</div>
<input type="submit" name="formConnection" value="Se connecter">
<div class="form-group">
<a href="subscribe.php">Not subscribed yet?</a>
</div>
</form>
<br><br>
</body>
I know it's supposed to be a boolean but I cannot figure out how to use it.
Is there a step-by-step tutorial for this? I might have missed it. Thanks
286
asked Oct 29 '25 08:10
The password_verify() function is to be used in conjunction with the password_hash() function.
You store the hash generated from password_hash() in your database . When someone tries to log in, you test the password they provided against the hash. If password_verify() returns true, the password matches.
You should not rehash the password yourself with password_hash() because you will get a different answer every time (if using a random salt, which you should). When you hash the password using password_hash(), it, by default, uses a random salt to hash it. This random salt is encoded into the resulting hash string so that password_verify() can verify it using the same salt as it was originally hashed with.
Basically, you should retrieve the hash from the database for the user trying to log in, and supply it to the password_verify() function. Along with the salt, the hash also contains information as to which hash algorythm was used.
<?php
// See the password_hash() example to see where this came from.
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';
if (password_verify('rasmuslerdorf', $hash)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
?>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With