So, I have hashed the password for new accounts which are created on adduser.php with this:
if (isset($_POST['submit'])) {
require "../functions/db-insert.php";
$productcategory = [
'username' => $_POST['username'],
'password' => sha1($_POST['password']),
'isadmin' => $_POST['isadmin']
];
//$hash = password_hash($_POST['password'], PASSWORD_DEFAULT);
$category = insert($pdo, 'users', $productcategory);
echo "<p>User added</p>";
}
and now I'm trying to modify my login.php to be able to sign properly using password_verify, but I seem to be doing something wrong as I can no longer sign in.
if (isset($_POST['submit'])) {
if (isset($_POST["username"]) && isset($_POST["password"])) {
$results = $pdo->prepare("SELECT * FROM users
WHERE username = :username AND password = :password");
$values = [
':username' => $_POST["username"],
':password' => $_POST['password']
];
$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_DEFAULT);
$results->execute($values);
$row = $results->fetchAll();
if(count($row) < 1){
echo '<h3><strong>Wrong username or password!</h3>';
}
else if (!password_verify($password, $hash)){
$_SESSION['loggedin'] = true;
$_SESSION['name'] = $_POST['username'];
echo "<h3>Welcome back " . $_SESSION['name'] . " !</h3>";
}
}
}
At this point, I'm not entirely sure what I'm doing wrong and would really appreciate if someone could help me troubleshoot the stuff I do wrong. I've looked all over stackoverflow but none of the previously asked questions were working for me, unfortunately.
You're re-hashing the password. When you use password_hash you don't get the same value for the same string, so you are never going to find a match. You need to select the password (hashed) and then pass the raw string (input) into password_verify. So just have the username in the where, then use result password and the raw string in password_verify
Try echoing out a password_hash of the same value (e.g. password_hash('test'....). and you will see. You also need to account for using md5 is this is what you have done before. If this is a live system it will be difficult as you will basically need to make everyone change their password or write some routine to update it next time they log in (e.g. use the old verification method then password_hash() the password and update it). If this isn't production code yet just clear your your passwords and start again.
Also I just noticed you have said you want to log people in if the password verification returns false ,(!password_verify.... So your logic back to front
Related
I'm using PHP's password hashing API to hash and verify my passwords on a site I'm building, however whenever I try and verify my password it always returns false.
I have a User class which sets the password before they are inserted into the database:
public function set__password($passwd) {
self::$password = password_hash($passwd, PASSWORD_BCRYPT, array('cost' => 12));
}
If the username and email is unique the new user row is inserted - upon checking my database I have what seems to be a valid BCRYPT string for my password:
$2y$12$lTMEP0wevDEMX0bzStzoyOEzOTIAi3Hyhd3nYjGwzbI
To verify my password, I run the following script:
$username = $_POST['username'];
$password = $_POST['password'];
$DB = Database::getInstance();
// Get the stored password hash
$res = $DB->run__query('SELECT password FROM users WHERE username = "' . $username . '"');
$hash = $res[0]['password'];
// Do the passwords match?
if(password_verify($password, $hash)) {
echo 'success';
} else {
echo 'failed';
}
$hash pertains to the string quoted above, however when I then call password_verify($password, $hash) where $password is the plain-text password retrieved from my input field, I always receive a value of false.
The given hash string example has 50 characters instead of 60. Double-Check the database - CHAR(60) - and var_dump($hash).
Other problem that you can have, is when you reduce the cost in the server for gaining time.
Always use password_hash($pass, PASSWORD_DEFAULT), is the best way.
This question already has answers here:
How to use PHP's password_hash to hash and verify passwords
(5 answers)
Closed 2 years ago.
Well I'm making a login system with MySQL and PHP. Then I want to crypt the user's password using password_hash and password_verify functions. But it isn't work for me at the time of compare the dehashed password with the hashed password (password_verify func).
So here is my code.
signup.php
$password_hashed = password_hash($data['password'], PASSWORD_DEFAULT, array("cost"=>15));
$statement = $connection->prepare("INSERT INTO users (username, email, password) VALUES (:username, :email, :password)");
if ($statement && empty($result1)) {
$result = $statement->execute( [
':username' => $data['username'],
':email' => $data['email'],
':password' => $password_hashed,
]);
header('Location: register.php');
$_SESSION['messages'][] = 'Thank you for registration. Check your email then log in.';
exit();
}
login.php
if ($user['username'] === $username && $user['password'] === password_verify($user['password'], $password)) {
header("Location: panel.php");
$_SESSION['username'] = $user['username'];
die();
} else {
$_SESSION['messages'][] = 'Incorrect user or password!';
header('Location: login.php');
}
Where $password: $password = $data['password'];
Where $user:
$statement = $connection->prepare('SELECT * FROM users WHERE username = :username');
$statement->execute([':username' => $username]);
$result = $statement->fetchAll(PDO::FETCH_ASSOC);
$user = array_shift($result);
Output: Incorrect user or password!
This returns a boolean (true/false) value:
password_verify($user['password'], $password)
So this will never be true:
$user['password'] === password_verify($user['password'], $password)
Once you've selected the user from the database based on the provided username, just verify the password:
if (password_verify($user['password'], $password)) {
A couple notes on your terminology, becase it's important...
I want to crypt the user's password
No, you do not want to encrypt the user's password. You want to "hash" it. It's an important distinction. Encrypted things can be returned to their original form. Hashed things can not. Which is a vital part of password security.
compare the dehashed password with the hashed password
There's no "dehashed" anything. What the internals of password_verify does is hash the provided password and compare that result with the already-hashed stored password. At no point can you in any way convert the stored hashed password back to its original form.
my login activity cannot read encrypted Password i tried without encrypted password and it works and im not sure if the error from php or activity itself of how to decryption password
im Using PASSWORD_BCRYPT
<?php
include "conn.php";
$Email = $_POST['Email'];
$Password = $_POST['Password'];
$sql_login = "SELECT * FROM users WHERE Email = :EMAIL and Password =:PASSWORD";
$stmt = $PDO->prepare($sql_login);
$stmt->bindParam(':EMAIL', $Email);
$stmt->bindParam(':PASSWORD', $Password);
$stmt->execute();
if ($stmt->rowCount() > 0) {
$returnApp = array('LOGIN' => 'SUCCESS');
echo json_encode($returnApp);
}else{
$returnApp = array( 'LOGIN' => 'FAILED');
echo json_encode($returnApp);
}
?>
To correctly use hashing of a password in PHP, use the password_hash and password_verify combination.
When a user signs up, you get his password, hash it and store it in the database:
$hash = password_hash($_POST['newpassword'], PASSWORD_DEFAULT);
// store $hash in database column "password"
When this user wants to login, you check against the hash:
// fetch hash from database, store it in $stored_hash
$logged_in = password_verify($_POST['password'], $stored_hash);
if ($logged_in === TRUE) {
echo "Welcome!";
} else {
echo "Username or password incorrect.";
}
Final notes:
Use PASSWORD_DEFAULT and make sure your database can store the result (also in the future). Hashing algorithms happen to get cracked once in a while.
You could use another provider like Google or Facebook to handle your authentication. This does have its drawbacks as well though.
I have question about valid hashing passwords:
login.php
$login = $_POST['login'];
$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_DEFAULT);
if(!empty($login) && !empty($password) && password_verify(??){
I want to make secure login and I know that I have to verify the inputted password with existing hash (stored in database?). Also I know that bcrypt everytime makes new hash (because of different salt size etc).
The problem is that I don't know how to put this hash into database because I don't want to register new users, I have static list of users (exactly two: admin and user).
I tried manually copy/paste hash but it wouldn't work as I mentioned earlier that every time I run script new hash is created.
Can anyone help me how to put bcrypt hash in database (only once) so I can only check if inputted password is same as the one in database?
Do I need extra variables to store this hash?
EDIT:
login.php
<?php
session_start();
include("log.php");
include("pdo.php");
$login = $_POST['login'];
$password = $_POST['password'];
$adminHash = '$2y$10$lxPRtzzPDUZuPlodhU4QquP.IBrGpkjMNplpNgN9S1fEKd64tJ5vm';
$userHash = '$2y$10$Klt345wT66vA.4OAN5PEUeFqvhPQJ4Ua/A4Ylpc1ZcnJZv/hafgSu';
if(!empty($login) && !empty($password) && (password_verify($password, $adminHash) || password_verify($password, $userHash))){
$query = $pdo->prepare('SELECT * FROM xx WHERE login = ? AND admin = ?');
$query->execute(array( $login, 1));
$result = $query->fetchAll();
if(!empty($result)) {
$_SESSION['logged_admin'] = 1;
}
else {
$query->execute(array( $login, 0));
$result = $query->fetchAll();
if(!empty($result)) {
$_SESSION['logged_user'] = 1;
}
else {
$_SESSION['logged_error'] = 1;
}
}
}
else $_SESSION['logged_error'] = 1;
header("Location:index.php");
?>
it seems to be working but i dont know if it's best/safest solution.
With more passwords it will be too complicated i guess, still looking for best option!
What if i need more users? now every user have same hash and it's dangerous i get it, how to make it safe? generate hash for every user and make array or hashes?
You fetch first the one that has password_hash() from your database, and then compare it with password_verify($password, $storedpassword) like this : link
I've been trying to write a simple login for a couple of days now. After I'd thought I had it working, I realized that it would accept any input in the password field as being true so I scrapped it and started again. I'm trying to use the php function password_verify for the verification but no matter what I do, it always returns true still. Is there something I'm doing wrong? Here is my code (I know it's not secure, I just want it to recognize a wrong password for now)
if(isset($_POST['submit']))
{
$username = $_POST['username'];
$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_DEFAULT);
if(password_verify($_POST['password'], $hash))
{
echo 0;
}
else
{
echo 1;
}
}
The reason it always returns true is because you are verifying a hash that you just created... it will always be verified correctly.
When you use the password_verify() function the $hash parameter has to come from somewhere else (usually a database of some kind).
// If this is a POST request then handle the form
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
// Get password from form
$pass = filter_input(INPUT_POST, 'password', FILTER_UNSAFE_RAW);
// Connect to a database of some kind
// Get a previously hashed password
$hash = 'A HASH FROM SOMEWHERE ELSE...';
// Verify the previously hashed password
// against the password provided by the user
if (password_verify($pass, $hash)) {
echo 'Password is valid!';
}
}
You are $password getting a $_POST['password'];
You are hash a $password which is $_POST['password'];
password_verify($_POST['password'], $hash)
You are comparing a $_POST['password'] with a hash. the hash is also $_POST['password'].
That's why they return always true.because the $passwod,hash are $_POST['password'] is same.
You check the post password with the post password. You should check the post password instead with a wanted password.
You're assigning $hash to the password you received through POST.
This is how password_verify works
boolean password_verify ( string $password , string $hash )
Verifies that the given $hash matches the password received.
So now you're checking the password stored in $hash with the password obtained in POST which are the same.
Hence always true.