How to verify hashed password when a user logs in

Question

Can someone please tell me how i am suppose to verify a hashed password when someone is logging in?

here is my registration code:

$db_password = password_hash($password, PASSWORD_DEFAULT);

// Enter info into the Database.
$info2 = htmlspecialchars($info);
$sql = mysql_query("INSERT INTO users 
                   (first_name, last_name, email_address, username, password, signup_date)
                    VALUES('$first_name', '$last_name', 
                           '$email_address', '$username',
                           '$db_password', now())") 
                 or die (mysql_error());

this is my check user code run at login . .

$hash = password_hash($password, PASSWORD_DEFAULT);

// check if the user info validates the db
$sql = mysql_query("SELECT * 
                    FROM users 
                    WHERE username='$username' 
                      AND password='$hash' 
                      AND activated='1'");
$login_check = mysql_num_rows($sql);

i can not figure it out.

forgot to add when logging in i am met with invalid credentials message — user3205214, Apr 22 '15 at 15:33
When you check the password, you read the existing hash from the database and use [password_verify()](http://www.php.net/manual/en/function.password-verify.php) to check that against the password entered by the user — Mark Baker, Apr 22 '15 at 15:35
Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://jayblanchard.net/demystifying_php_pdo.html). In addition the way you use your variables in your queries leads me to believe you could be a victim of [SQL Injection.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Apr 22 '15 at 15:39
Jay - you are correct with sql injection. someone pointed that out. It is actually the next thing i am going to be working on after i figure this out. — user3205214, Apr 22 '15 at 15:49

score 2 · Answer 1 · answered Apr 22 '15 at 15:41

Your verification is wrong...you are hashing the password all over again, which will result in a brand-new salt...thus a completely different hash value. When passwords are hashed (correctly), they use a salt (random string) that is sufficiently long to prevent a rainbow attack. password_hash is doing all of this behind the scenes for you.

However, this means you have to make sure to use the same salt in order to verify the password by storing it along with the hash. In the case of the code you are using, it's doing this part for you and the salt is the prefix of the result of password_hash.

When the user logs in, you need to do:

if( password_verify($loginPasswordText, $hashStoredInDb) ) {
    //SUCCESS
}

score 0 · Answer 2 · answered Apr 22 '15 at 15:51

No need to password hashing again at login time, Use simply password_verify() function to verify your stored password & given password at login moment. See more about Password Hashing API here http://php.net/manual/en/ref.password.php

For now Try like this,

 <?php
    // this is the example hashed password that you have to select from Database.
    $hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';

    if (password_verify('password_given_at_login', $hash)) {
        echo 'Password is valid!';
    } else {
        echo 'Invalid password.';
    }
    ?>

How to verify hashed password when a user logs in

2 Answers2