0

Following How do you use bcrypt for hashing passwords in PHP?.

Submitting passwords to MySQL using:

  $options = array('cost' => 11);
  $password = password_hash("$_POST[password]", PASSWORD_BCRYPT, $options);

Password in MySQL shows as:

mysql> SELECT password FROM users;
+-----------------------------------------------+
| password                                      |
+-----------------------------------------------+
| $2y$11$O77omA4vaNKu0DScTXCBd.FSXKSV0PD0piEokV |
+-----------------------------------------------+

On the login side:

$hash = $row['password'];
$password = $_POST[password];

if (password_verify($password, $hash)) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}

Login doesn't work and always shows:

Invalid password.

I have pasted the relevant parts as the files are quite large. If more is needed (probably not relevant) I can paste.

Community
  • 1
  • 1
user2656114
  • 949
  • 4
  • 18
  • 35
  • You have something else going on in your code somewhere else. The code you posted works just fine: http://3v4l.org/lmK9f – jszobody Jan 16 '14 at 15:34
  • @jszobody Indeed, the MySQL column wasn't long enough *face palm*. It was at 45 from before, I have amended it to 60. Is there some 'suggested' length or something to prevent any future problems? – user2656114 Jan 16 '14 at 15:38
  • From the PHP docs: _Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice)._ – jszobody Jan 16 '14 at 15:39

2 Answers2

2

I guess it's because the column length ... using this settings, the generated password will have 60 characters, the returned one have less, can you show your table structure ?

PHP documentation said:

... Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice) ...

See at: http://www.php.net/manual/pt_BR/function.password-hash.php

Andrey
  • 1,476
  • 1
  • 11
  • 17
-1
if(crypt($user_password, $databse_password)==$databse_password)
   { validate login}
else 
   {reject login}
digitai
  • 1,870
  • 2
  • 20
  • 37