I am using password_hash function, it work's well in registration form and login form but doesn't work during change password form, it gives me error message incorrect old password may be my code has gone wrong or may be because password_hash generates different set of characters each time even with the same input, if it is so what method is used to update password. the same code works using md5.
if(isset($_POST['senddata'])){
$old_password = $_POST['oldpassword'];
$new_password = $_POST['newpassword'];
$repeat_password = $_POST['newpassword2'];
$query = $db->prepare("SELECT * FROM users WHERE username=:username");
$query->execute(array(':username'=>$username));
$row = $query->fetch(PDO::FETCH_ASSOC);
$db_password=$row['password'];
// hash old password before match
$old_password = password_hash($old_password, PASSWORD_DEFAULT);
// check if old password equals db_password
if ($old_password==$db_password) {
// continue changing users password
if ($new_password==$repeat_password) {
// hash the new password
$new_password=password_hash($new_password, PASSWORD_DEFAULT);
$repeat_password=password_hash($repeat_password, PASSWORD_DEFAULT);
// update password
$password_update_query=$db->prepare("UPDATE userss SET password=:password, password2=:password2 WHERE username=:username");
$password_update_query->execute(array(':password'=>$new_password,':password2'=>$repeat_password2,':username'=>$username));
echo "Your Password Updated";
}
} else {
echo "Old password is incorrect";
}
}
You need to use password_verify($password, $hash); for verifying that passwords are equal
When you hash it again you get a other result because it generates a new salt, which then result in an other hash.
Something like:
$old_password = $_POST['oldpassword'];
$db_password = $row['password']; // which should be already hashed
if (password_verify($old_password, $db_password) {
Related
my login activity cannot read encrypted Password i tried without encrypted password and it works and im not sure if the error from php or activity itself of how to decryption password
im Using PASSWORD_BCRYPT
<?php
include "conn.php";
$Email = $_POST['Email'];
$Password = $_POST['Password'];
$sql_login = "SELECT * FROM users WHERE Email = :EMAIL and Password =:PASSWORD";
$stmt = $PDO->prepare($sql_login);
$stmt->bindParam(':EMAIL', $Email);
$stmt->bindParam(':PASSWORD', $Password);
$stmt->execute();
if ($stmt->rowCount() > 0) {
$returnApp = array('LOGIN' => 'SUCCESS');
echo json_encode($returnApp);
}else{
$returnApp = array( 'LOGIN' => 'FAILED');
echo json_encode($returnApp);
}
?>
To correctly use hashing of a password in PHP, use the password_hash and password_verify combination.
When a user signs up, you get his password, hash it and store it in the database:
$hash = password_hash($_POST['newpassword'], PASSWORD_DEFAULT);
// store $hash in database column "password"
When this user wants to login, you check against the hash:
// fetch hash from database, store it in $stored_hash
$logged_in = password_verify($_POST['password'], $stored_hash);
if ($logged_in === TRUE) {
echo "Welcome!";
} else {
echo "Username or password incorrect.";
}
Final notes:
Use PASSWORD_DEFAULT and make sure your database can store the result (also in the future). Hashing algorithms happen to get cracked once in a while.
You could use another provider like Google or Facebook to handle your authentication. This does have its drawbacks as well though.
On this project, I've used BCRYPT to make a hash off the password
On logging in, the user normally logging in without any errors or whatsoever, but when trying to change your password, your current password does not match with the password in the database (of course i'm using password_verify() to verify the two passwords)
Here is the snippet of my code:
$option = ['cost' => 12];
$password = password_hash($_currentpassword, PASSWORD_BCRYPT, $option);
$selectpasswordsql = "SELECT `password` FROM `auth` WHERE username=?";
$selectpasswordstmt = $conn->prepare($selectpasswordsql);
$selectpasswordstmt->execute(array($_SESSION['account']['username']));
$selectpasswordresults = $selectpasswordstmt->fetch(PDO::FETCH_ASSOC);
$databasepass = $selectpasswordresults['password'];
$databasepass = trim($databasepass);
if(password_verify($password,$databasepass)){
if(empty($passmsgs)){
$updatepasssql = "UPDATE `auth` SET
`password`=?
WHERE username=?
";
$updatepassstmt = $conn->prepare($updatepasssql);
$updatepassstmt->execute(array($password, $_SESSION['account']['username']));
if($updatepassstmt){
array_push($passmsgs, 'Successfully updating your password!');
} else {
array_push($passmsgs, 'There was a problem executing your command!');
}
}
} else {
array_push($passmsgs, 'Your current password is wrong!');
}
Trying this out will cause an error of not matching your current password with the password
Edit: Yes I am using VARCHAR with a maximum length of 255
Edit 2: Here is a link to the full copy of my codes.
You don't need to hash your $_currentpassword variable in the second line.
Just pass the variable to the password_verify function and the function itself will do the job.
I'm trying to has a password in PHP using password_hash and password_verify. I am correctly hashing the password as it is being into the database hashed, but when I attempt to unhash the password whilst logging in, it doesn't seem to want to work. The password is being recieved from an Android application but after echoing both the username and the password, they are correct to what they should be. To hash the password, I am using PASSWORD_DEFAULT as the hashing technique.
Code:
<?php
error_reporting(0);
require_once('dbconnect.php');
$username = $_POST["username"];
$password = $_POST["password"];
$result = $conn->query("SELECT * FROM User WHERE username ='$username'");
if(empty($result)){
die("Username doesn't exist");
}
$dbpass = $conn->query("SELECT password FROM User WHERE username = '$username'");
if (password_verify($password, $dbpass)){
$stmt = "SELECT * FROM User WHERE username='$username' and password='$password'";
$check = mysqli_fetch_array(mysqli_query($conn, $stmt));
if(isset($check)){
echo "success";
}else{
echo "Invalid Username or Password";
}
}
else {
echo "password not unhashing";
}
$conn->close();
Am I missing something obvious?
First, use prepared statements to remove the threat of SQL injection, or your login screen becomes an attack vector. Then the problem is you're not getting the actual dbpass, you're getting a result set containing $dbpass, without dereferencing it.
Try it this way:
//username in where clause is coming from the user, don't execute it
//also fetch a clean copy of the username from the database we can trust to do things with like display -- assuming we filtered it on the way into the database.
$stmnt = $conn->prepare('select username,password from user where username = ?') or die('...');
//username must be a string, and to keep it clear it came from a user, and we don't trust it, leave it in POST.
$stmnt->bind_param('s',$_POST['username']) or die('...');
//Do the query.
$stmnt->execute() or die('...');
//Where to put the results.
$stmnt->bind_result($username,$dbpass);
//Fetch the results
if($stmnt->fetch()) //get the result of the query.
{
if(password_verify($_POST['password'],$dbpass))
{
//The password matches.
}
else
{
//password doesn't match.
}
}
else
{
//username is wrong.
}
I'm using PHP's password hashing API to hash and verify my passwords on a site I'm building, however whenever I try and verify my password it always returns false.
I have a User class which sets the password before they are inserted into the database:
public function set__password($passwd) {
self::$password = password_hash($passwd, PASSWORD_BCRYPT, array('cost' => 12));
}
If the username and email is unique the new user row is inserted - upon checking my database I have what seems to be a valid BCRYPT string for my password:
$2y$12$lTMEP0wevDEMX0bzStzoyOEzOTIAi3Hyhd3nYjGwzbI
To verify my password, I run the following script:
$username = $_POST['username'];
$password = $_POST['password'];
$DB = Database::getInstance();
// Get the stored password hash
$res = $DB->run__query('SELECT password FROM users WHERE username = "' . $username . '"');
$hash = $res[0]['password'];
// Do the passwords match?
if(password_verify($password, $hash)) {
echo 'success';
} else {
echo 'failed';
}
$hash pertains to the string quoted above, however when I then call password_verify($password, $hash) where $password is the plain-text password retrieved from my input field, I always receive a value of false.
The given hash string example has 50 characters instead of 60. Double-Check the database - CHAR(60) - and var_dump($hash).
Other problem that you can have, is when you reduce the cost in the server for gaining time.
Always use password_hash($pass, PASSWORD_DEFAULT), is the best way.
I'm trying to create passwords that are sha256 hashed with a $salt variable to it. But for some reason it just won't work. Been working 3 hours on this now, and I'm about to rip my head off. Here is my code:
I'll try again, sorry ;o)
Ok, my script worked fine, untill I tried to add the sha256 to the passwords. I got a file for creating users which is:
$salt = "lollol";
$password = hash('sha256', $salt.$_POST['password']);
$sql = ("INSERT INTO members (username, password, name, last_name,company)VALUES('$username', '$password', '$name', '$last_name', '$company')")or die(mysql_error());
if(mysql_query($sql))
echo "Your accuont has been created.";
It seems like it's correctly added to the Database. I can see that it is getting hashed with some letters and numbers.
But then when I'm trying to login, it just won't.
My code for login.php is:
$sql= "SELECT * FROM members WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
$row=mysql_fetch_array($result);
$username = mysql_real_escape_string($_POST['username']);
$password = $_POST['password'];
$salt = "lollol";
$auth_user = hash('sha256', $salt.$password);
if($password == $salt.$auth_user){
echo "Logged in";
} else {
echo "Not logged in";
}
I got the idea of that, I have to encrypt password when I want to log in, but im not sure. I hope that some of you can help me.
When trying to login you concatenate the hash with the salt once more
$auth_user = hash('sha256', $salt.$password);
if($password == $salt.$auth_user){ // <-- $salt once more
echo "Logged in";
} else {
echo "Not logged in";
}
It should work, if you just remove it
$auth_user = hash('sha256', $salt.$password);
if($password == $auth_user){
echo "Logged in";
} else {
echo "Not logged in";
}
Update: Going further
here
$sql= "SELECT * FROM members WHERE username='$username' and password='$password'";
You try to retrieve the row, where the username matches $username and the password matches $password. In the database the passwords are already hashed (and $password seems to be not defined at all), thus this query will never return any row.
$password = hash('sha256', $salt.$_POST['password']);
$username = mysql_real_escape_string($_POST['username']);
$sql= "SELECT * FROM members WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
$result should now contain the only user that matches the given credentials. Its now very easy
if (mysql_num_rows($result) === 1) {
echo "Logged in";
} else {
echo "Not logged in";
}
You're storing an encrypted password, but your select query is looking for the unencrypted password.
Just get the matching username (without a password condition) - usernames are unique, right?:
$sql= "SELECT * FROM members WHERE username='$username'";
$result=mysql_query($sql);
$row=mysql_fetch_array($result);
$username = mysql_real_escape_string($_POST['username']);
$password = $_POST['password'];
$salt = "lollol";
$auth_user = hash('sha256', $salt.$password);
if($row["password"] == $auth_user){
echo "Logged in";
} else {
echo "Not logged in";
}
$password = $_POST['password'];
// This should be the users actual salt after you've found the user
// in the database by username or email, or other means
$salt = $users_stored_salt;
// This should be the exact method you use to salt passwords on creation
// Consider creating a functon for it, you must use the same salt
// on creation and on validation
$hashed_password = hash('sha256', $salt.$password.$salt);
// This is the user's hashed password, as stored in the database
$stored_password = $users_stored_password;
// We compare the two strings, as they should be the same if given the
// same input and hashed the same way
if ($stored_password === $hashed_password){
echo "Logged in";
} else {
echo "Not logged in";
}
Missed your edit, but hope this helps.
EDIT: I see you aren't storing unique hashes.
If you are looking up the user by password, you need to hash the password in your query the same way it was stored:
$salt = $your_salt;
$hashed_password = hash('sha256', $salt.$_POST['password']);
$sql= "SELECT * FROM members WHERE username='$username' and password='$hashed_password'";
Otherwise, you could look up by unique username (not by password) and just compare the hashed input to the value of the stored password.
I'm very confused right now. How should my login_ac.php look like, if I should make it with the code I gave you in the top?
Just change the query to lookup by hashed password (the way you stored it).
$sql= "SELECT * FROM members WHERE username='$username' and password='".hash('sha256', $salt.$_POST['password'])."'";
You can remove the other validation and hashing - if you found the user then you know the input is valid.
Note that this only works when you know the way you're hashing the input is the exact same way you hashed the password upon creation.
It is worth checking that the field length in the database is big enough to store the whole hashed password without truncating it. You will never get a password match when logging in if the stored password is has the end missing.