Verify Login with Bcrypt Password

Question

I have a site where i'm programming a registration/login system with bcrypt. I have successfully inserted the registration details with the hashed password into the database. My problem is how to authenticate the user using this hashed password. Below are the codes i used:

Registration action:

<? ob_start();//Start buffer output ?>
<html>
<head>
<title>MySite: Registration Action</title>
</head>
<font face="arial">

<?php

session_start();
if(isset($_POST["captcha"])&&$_POST["captcha"]!=""&&$_SESSION["code"]==$_POST["captcha"])
{
//echo "Correct Code Entered";
//Do req stuff







$host="host"; // Host name 
$username="username"; // Mysql username 
$password="password"; // Mysql password 
$db_name="db"; // Database name 
$tbl_name="tbl"; // Table name 

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Get values from form 
$myusername=mysql_real_escape_string($_POST['myusername']);
$mypassword=mysql_real_escape_string($_POST['mypassword']);
$myemail=mysql_real_escape_string($_POST['myemail']);
$mysecrquest=mysql_real_escape_string($_POST['mysecrquest']);
$mysecransw=mysql_real_escape_string($_POST['mysecransw']);
$mypassword_rep=mysql_real_escape_string($_POST['mypassword_rep']);
$myemail_rep=mysql_real_escape_string($_POST['myemail_rep']);
$mysecransw_rep=mysql_real_escape_string($_POST['mysecransw_rep']);

$salt = '$2a$18$' . substr(md5(uniqid(rand(), true)), 0, 22);

$encpass = crypt($mypassword, $salt);

//validate input
if (( !empty($myusername) && !empty($mypassword) && !empty($myemail) && !empty($mysecrquest) && !empty($mysecransw) )
&& (($mypassword_rep==$mypassword)&&($myemail_rep==$myemail)&&($mysecransw_rep==$mysecransw)))
{
// Insert data into mysql 
$sql="INSERT INTO $tbl_name(username, salt, password, email, secrquest, secransw)VALUES('$myusername', '$salt', '$encpass', '$myemail', '$mysecrquest', 

'$mysecransw')";
$result=mysql_query($sql);

// if successfully insert data into database, displays message "Successful". 
if($result){
echo "<center><font color='green'>Congratulations! Your registration was Successful</font></center>";
echo "<BR>";
echo "<center><a href='somepage.php'>Somepage</a></center>";
}
}

else {
echo "<center><font color='red'>You have one or more invalid entries: Your Registration was not successful</font></center>";
echo "<br>";
echo "<center><a href='regpage.php'>Back</a></center>";
}


}
else {
echo "<center><font color='red'>Wrong Captcha: Your Registration was not successful</font></center>";
echo "<br>";
echo "<center><a href='regpage.php'>Back</a></center>";
}

?> 



<?php 
// close connection 
//mysql_close();
?>

</font>
</html>
<? ob_flush();//Flush buffer output ?>

Login Action:

<? ob_start();//Start buffer output ?>
<html>
<head>
<title>MySite: Login Action</title>
</head>

<font face="arial">

<?php
session_start();
if(isset($_POST["captcha"])&&$_POST["captcha"]!=""&&$_SESSION["code"]==$_POST["captcha"])
{
// echo "<font color='green'>Correct Code Entered</font>";
//Do req stuff





$host="host"; // Host name 
$username="username"; // Mysql username 
$password="password"; // Mysql password 
$db_name="db"; // Database name 
$tbl_name="tblx"; // Table name 
$tbl_name2="tbl"; // Table name 2

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Get values from form 
$myusername=mysql_real_escape_string($_POST['myusername']);
$mypassword=mysql_real_escape_string($_POST['mypassword']);

// Validate the login
$sql2="SELECT * FROM $tbl_name2 WHERE username='$myusername'";
$result2=mysql_query($sql2);

$row=mysql_fetch_assoc($result2);

//$count=mysql_num_rows($result2);

// If result matched $myusername and $mypassword, table row must be 1 row
//if($count==1)

//$salt = '$2a$18$' . substr(md5(uniqid(rand(), true)), 0, 22);
$encpass = crypt($mypassword, $salt);
if ($encpass == $row['password'])
             {
session_start();             
$_SESSION['myusername'] = $myusername;
header ("Location: memberspage.php");

             }

else {
echo "<center><font color='red'>Invalid Login Details. Not Logged In.</font></center>";
echo "<br>";
echo "<center><font color='red'>Please go back and try again.</font></center>";
echo "<br>";

echo "<center><a href='loginpage.php'>Back</a></center>";
}


}

else {
echo "<center><font color='red'>Wrong Captcha. Not Logged In.</font></center>";
echo "<br>";
echo "<center><font color='red'>Please go back and try again.</font></center>";
echo "<br>";

echo "<center><a href='loginpage.php'>Back</a></center>";
}
?>


<?php 
// close connection 
//mysql_close();
?>

</font>
</html>
<? ob_flush();//Flush buffer output ?>

Any help is appreciated. Thanks.

Answer 1

I suggest using PHP's built-in password_xxx() functions. These are explicitly designed to make it easy to work with passwords hashed using bcrypt. You don't need to think of anything other than calling password_verify() to check a login attempt and password_hash() when creating an account. Easy.

That's by far the easiest way of working with passwords in PHP.

Note that these functions are only available in the latest PHP version (v5.5). However there is a backward compatibility library you can download that makes them work exactly the same in all currently supported versions of PHP (ie v5.3 and 5.4).

Hope that helps.