User Authentication Password Hashes

Question

Okay so i'm trying to make a basic user authentication system. Well I already made it. But what im trying to do now is check the users password against a hash. I'm using $hash = password_hash($password, PASSWORD_DEFAULT); but for the login page I want to check the users password with the hashed password in the database so they can login. How can I do this?

Register.php:

    <?php
include('config.php'); 

if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}

function mres($input){
    if (get_magic_quotes_gpc()){
        $input = stripslashes($input);
    }
    return mysqli_real_escape_string($conn, $_POST['$input']);
}

$email=mysqli_real_escape_string($conn, $_POST['email']);
$username=mysqli_real_escape_string($conn, $_POST['username']);
$password=mysqli_real_escape_string($conn, $_POST['password']);
$hash = password_hash($password, PASSWORD_DEFAULT);
$query = $conn->query("select * from users where username='$username'");
$rows = mysqli_num_rows($query);
if ($rows == 1) {
echo "User already exist redirecting in 5 seconds!";
} else {
$sql = "INSERT INTO users (username, password, email)
VALUES ('$username', '$hash', '$email')";
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
}

$conn->close();
header("Location: ../index.php");
?>

Login.php:

<?php
session_start();
include('config.php'); 

$error=''; 

if (isset($_POST['submit'])) {
if (empty($_POST['userid']) || empty($_POST['passid'])) {
$error = "Username or Password is invalid";
}
else
{


$user=mysqli_real_escape_string($conn, $_POST['userid']);
$pass=mysqli_real_escape_string($conn, $_POST['passid']);
$hash = password_hash($pass, PASSWORD_DEFAULT);
$passv = password_verify($pass, $hash);
$query = $conn->query("select * from users where password='$passv' AND username='$user'");
$rows = mysqli_num_rows($query);
if ($rows == 1) {
$_SESSION['login_user']=$username;
$_SESSION['username']=$user;
$_SESSION['checklogin']== true;
header("location: ../profile.php"); 
} else {
$error = "Username or Password is invalid";
}
mysqli_close($conn);
}
}   
?>

(Yes i know i added that function there that im not using in register. Its for future use im saving it for now. I have plans for it.)

Read this documentation http://php.net/manual/en/function.password-verify.php — Scuzzy, Sep 21 '15 at 02:57
Im pretty sure its generating a new hash for the password verify when it shouldnt. I just need it to check that password for that hash or whatever it needs to do to login. — Blake Cothran, Sep 21 '15 at 03:08
I got it to work but it has to be in the same file as it was hashed. Now when i store the hash in a table and want to check it in another file against the users input it wont work. — Blake Cothran, Sep 21 '15 at 03:11
Then your data is getting malformed between storage and re-use, and without code samples, no one here can help you any further. — Scuzzy, Sep 21 '15 at 03:14
Do check that the hash that `password_hash()` produces is exactly the same as when you then read it out of the database. Eg you may be prone to data truncation if your column storage length isn't sufficient. — Scuzzy, Sep 21 '15 at 03:18
Your databasing in `login.php` is confused, you should be loading the hash out of the database by username and then running `password_verify()` on the hash that's in the database with the users post data password. You should note that `password_hash()` gives different outputs each time. — Scuzzy, Sep 21 '15 at 03:21
Have a look at http://stackoverflow.com/questions/26536293/php-password-hash-password-verify — Scuzzy, Sep 21 '15 at 03:26

score 0 · Answer 1 · answered Sep 21 '15 at 03:43

0

Select the password from database using the username. Get the hash password from the database and use password_verify(inputPassword,hashPassword) with an if statement.

answered Sep 21 '15 at 03:43

Giftor Deberechi Nwogu

59
1
8

User Authentication Password Hashes

1 Answers1