Using encryption class in Codeigniter

Question

My problem is that I can still log in even I typed in the wrong password. I can't seem to know if there's a problem on how I decoded the password.

encryption key:

$config['encryption_key']   = 'formcreatormj';

Log in code:

function login($email,$password){
    $pw = $this->encrypt->decode($password);

$this->db->where('email',$email);
    $this->db->where('password', $pw);

    $query=$this->db->get('user');

   if($query->num_rows()>0){
        foreach($query->result() as $rows){
            //add all data to session
            $this->addSession($rows->id, $rows->username);
        }

        return true;
    }
    return false; 
}

Answer 1

You should not be using the Encryption class for working with passwords. Passwords should be hashed one-way, to prevent the original plaintext from being recovered trivially. Codeigniter's Encryption class provides two-way encryption and is unsuitable for passwords.

Instead, you should be working with bcrypt - How do you use bcrypt for hashing passwords in PHP?

Answer 2

You are going about the hashing wrong. Typically you'd store the hash of the password in the database. i.e. when the user signs up, you $this->encrypt->encode() the password and store that in the database.

Next time the user tries to log in, you again hash the password they enter in the login and compare that to the hashed password in the database.

But, since, by default, codeigniter uses mcrypt, these hashes won't match. So what you need to do is pull the hash from the db, decrypt that and compare that with the submitted password.

$this->db->where('email',$email);
$query = $this->db->get('user')->row(0);

if($this->encrypt->decode($query->password) == $password){
    //password OK
}else{
    //password not OK
}

What you are doing is trying to decrypt the submitted password which isn't encrypted.

---

Edit: strongly agree with @xiankai You really should be using bcrypt for passwords.