-1

I use password_hash() standard method from PHP5, and I understand it generates different hash value for each run.

Refer to this: correct use of password_hash

The question is, if I store the hashed password into my database (MySQL), how do I check if the user entered the correct password in the login page?

In my signup.php, I have something like:

include 'PasswordHash.php' // contains various standard methods

$submitted_password = password_hash($_POST['password'], PASSWORD_BCRYPT);

and 

$add = mysqli_query($connection, "INSERT INTO `users` VALUES(NULL,'$submitted_username','$submitted_email','$submitted_password')");

and in my login.php, I have:

$submitted_password = $_POST['password'];
$hashed_password = password_hash($_POST['password'],PASSWORD_BCRYPT);

and

if (password_verify($submitted_password, $hashed_password)) {
echo "<script type='text/javascript'>alert('$pass');</script>";
} else {
echo "<script type='text/javascript'>alert('$fail');</script>";
}

This will obviously echo PASS because login.php will hash the password once and compare them, but if I try

echo $hashed_password;

, it is completely different from what I have in the database, obviously because it will generate different salt and use it to hash.

FINAL QUESTION: Then, how do I check if the user entered the correct password when user submitted password will be hashed into different values every single time?

I don't know if you can understand this question.. I just don't know how to describe this better.

Thank you in advance.

Community
  • 1
  • 1
Saehun Sean Oh
  • 2,103
  • 1
  • 21
  • 41
  • 1
    `password_hash()` is only to be used when creating a user account. For your login page, you **only** use `password_verify()`. Don't rehash the incoming plain password, but fetch the users existing hash from the database for comparison. – mario Aug 31 '14 at 06:11
  • Thank you for the answer @mario . I successfully fetched the selected row from the database and compared it. Thank you very much. I hope you didn't give this question a negative vote. I didn't mean to ask a dumb question. I tried to research as much as possible for hours – Saehun Sean Oh Aug 31 '14 at 07:25
  • It's good that you're using the correct password hashing method, but then things go horribly awry on insertion. Are you **sure** your user parameters are [properly escaped](http://bobby-tables.com/php)? When using `mysqli` you should be using parameterized queries and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/). – tadman Aug 31 '14 at 07:37
  • Thank you for your concern @tadman. I used `stripslashes()` and `mysqli_real_escape_string()` methods to prevent someone from injecting. – Saehun Sean Oh Aug 31 '14 at 21:59
  • `stripslashes` has no business being in your code, it's to deal with "magic quotes" which any sane server config has turned off or disabled since it's been removed from newer versions of PHP. Do not call the escaping functions manually, if you ever miss even **one** your entire application can be trashed and compromised. – tadman Sep 01 '14 at 21:18

1 Answers1

0

how do I check if the user entered the correct password when user submitted password will be hashed into different values every single time?

It won't be different assuming you do this the right way and feed the password_hash() with all parameters necesary, including the same salt. See docs http://php.net/manual/pl/function.password-hash.php how to do that. When salt is not provided a random salt will be created which will lead in different hashes though.

Marcin Orlowski
  • 72,056
  • 11
  • 123
  • 141
  • Thank you for the answer but that's not what I was looking for. I solved it using mario's hint. Thank you though. I appreciate it. – Saehun Sean Oh Aug 31 '14 at 07:18