10

In my Login PHP file I have these

$passwordInput = password_hash($passInput, PASSWORD_BCRYPT);
$passwordVerify = password_verify($userInput, $passwordInput);

And in my Register PHP file I have this.

$passwordSign = password_hash($passSign, PASSWORD_BCRYPT);

Now, essentially I make it so it hashes the password and inserts itself into the database on signup. WHICH IT DOES.

However, it cannot verify it. Both results give 2 different hashes and I don't know what I'm possibly doing wrong. I also tried just making it hash the input again and checking the password_hash in the database but that didn't work..

What is the proper way of using these?

( Also, $passSign and $userInput are the input fields and it does get the username/password )

edigu
  • 9,878
  • 5
  • 57
  • 80
Cameron Swyft
  • 448
  • 2
  • 6
  • 21
  • Are you sure the variable names are correct? Specially `$passInput` and `$userInput` ? – Hanky Panky Mar 09 '15 at 06:43
  • Instead of deleting the original question's body after figured out the solution, please add your solution as answer to help others. – edigu Mar 09 '15 at 07:05

1 Answers1

16

On signup you get the password from the user input and generate its has using password_hash():

$hash = password_hash($_POST['password'], PASSWORD_BCRYPT);

You can provide it a custom salt to use, in a third parameter, but the documentation recommends to not do this:

Caution It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one.

You save this hash in the database. Make sure you put it in a CHAR/VARCHAR field of 60 characters or longer.

When the user wants to log in you check the password they input against the hash previously saved using password_verify():

$auth = password_verify($_POST['password'], $hash);

Of course, you get the correct value of $hash from the database, searching by the provided username.

If $auth is TRUE then the provided password matches its hash computed on the registration and the user is authenticated.

Dharman
  • 30,962
  • 25
  • 85
  • 135
axiac
  • 68,258
  • 9
  • 99
  • 134
  • 1
    How would you perform a db lookup of a user account, assuming that you have the fields 'user_name' and 'user_pass' in the database.Assume hundreds of users, with unique 'user_name' (unique checked during user registration). You can't lookup by condition of user_name and user_pass. You can't use password_verify because you don't know the right record to select (assume that there might be duplicate passwords but each has a different user_name). So do you have to query for user_name, then loop through 1+ results to check for password_verify? Thanks. – Rick Hellewell Mar 14 '17 at 02:55
  • 1
    You said in the second sentence: *"Assume hundreds of users, with unique 'user_name'"*. When you search by 'user_name' you either find one record in the database or you don't find any. Create an `UNIQUE INDEX` on the 'user_name' column in the database to help it run fast and to enforce the uniqueness. – axiac Mar 14 '17 at 07:01
  • 3
    The docs recommend storing the hash in a 255-length varchar field, because the algorithm can change in future PHP versions without notice. – andreszs Jul 19 '19 at 21:39