0

I am having problem with bcrypt hash method and mysql. I'm using the Bcrypt class from this answer.

I am creating login script and checking, if password is correct. I am comparing password from input and hashed password from DB.

$username= $_POST['username']; //username from input
$pass= $_POST['pass'];         //username from input

$query= mysql_query("SELECT pass FROM users WHERE username='$username'");
    $row=  mysql_fetch_row($query);

$row[0];// hashed password, I echo $row[0] and it shows correct hashed password

$bcrypt = new Bcrypt(15);
$isGood = $bcrypt->verify($pass, $row[0]);

if ($isGood){
echo "Authentication succeeded";
          }
else { 
    echo"Authentication failed";
   }

Even $pass is correct, I always get 'Authentication failed'. Any ideas, what can be wrong?

Thank you in advance.

Community
  • 1
  • 1
Edva Ptr
  • 31
  • 1
  • 9
  • what does `if($isGood)` check for??? – Ghostman Dec 19 '12 at 13:24
  • 5
    [Bobby Tables' mother](http://xkcd.com/327/) would like to have a word with you – PeeHaa Dec 19 '12 at 13:26
  • @soul It checks if the application is good. It fails at the moment. – DaveRandom Dec 19 '12 at 13:28
  • Somehow I suppose `$bcrypt->hash` wasn't used to create the value stored in DB. Am I right? ) – raina77ow Dec 19 '12 at 13:29
  • Of course you have Bcrypt class? – Damonsson Dec 19 '12 at 13:33
  • @soul checking, if password from input and hashed password from DB equal. in this example, I am using this [example](http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) raina77ow, it is already added in registration script. or do you want to see code of it as well? :) – Edva Ptr Dec 19 '12 at 13:34
  • @ Damonsson, yes I do. honorable to mention, that $hash = $bcrypt->hash($pass) and $isGood = $bcrypt->verify($pass, $hash) is working fine. but if I get hased password from DB, verify function does not work :( I read many other questions with bcrypt issues, but can not find similar situation to mine.. – Edva Ptr Dec 19 '12 at 13:39

2 Answers2

1

The pass column in your users table is not wide enough to store the complete hash; it should be at least 60 characters wide, i.e. VARCHAR(60).

Btw, you should check out PasswordLib as well, written and maintained by ircmaxell, which also supports Bcrypt quite well.

Community
  • 1
  • 1
Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
  • yes, you are right. problem was with DB table, I found it before you answered. so now is ok. very stupid mistake :( – Edva Ptr Dec 19 '12 at 14:51
0

Try something like this:

$bcrypt = new Bcrypt(15);
$hash = $bcrypt->hash($pass);

echo $hash.' =? '.$row[0];

And look if it's equal

if yes, try something like this:

var_dump($hash);
var_dump($row[0]);

Must be equal

Damonsson
  • 1,532
  • 14
  • 25
  • 1
    unfortunately, echo different hash's.. not equal. let say, password is 'test', so hash will be equal every time, if pass is 'test'? I thinking, maybe it is something with salt.. – Edva Ptr Dec 19 '12 at 13:50
  • `$row[0];// hashed password, I echo $row[0] and it shows correct hashed password` <- so, this is incorrect however? – Damonsson Dec 19 '12 at 14:05
  • problem was with DB table, should be `varchar(60)`. thank you for helping me :) – Edva Ptr Dec 19 '12 at 14:51