Hashing passwords PHP mySQLI

Question

So im trying to make so the passwords the user enter will be encrypted when stored in my database. With BCRYPT im able to do that, however with the encryption now stored in the db the user cant login with their chosen password. Do anyone have any suggestions how i would go on about this?

Grateful for any kind of help!

Thanks in advance!

Register.php page below

<?php
require 'C:\wamp\www/projekt/connections.php';

if(isset($_POST['submit'])) {


session_start();
$fname = $_POST['firstname'];
$lname = $_POST['lastname'];
$uname = $_POST['username'];
$pwd = $_POST['password'];

$hashedpassword = password_hash($pwd, PASSWORD_DEFAULT);



$sql = $con->query("INSERT INTO users (FirstName, LastName, UserName,   Password)VALUES('{$fname}', '{$lname}', '{$uname}', '{$hashedpassword}')");

if (password_verify($pwd, $hashedpassword)) {


 header('Location: login.php'); 
 }



 }

 ?>

----------------------------------------------------------

login.php page below

<?php

$con = mysqli_connect("localhost","root","","userreg");

if(isset($_POST['login'])){

$uname = mysqli_real_escape_string($con,$_POST['Username']);

$pwd = mysqli_real_escape_string($con,$_POST['Password']);

$sel_user = "select * from users where UserName='$uname' AND Password='$pwd'";

$run_user = mysqli_query($con, $sel_user);

$check_user = mysqli_num_rows($run_user);

if($check_user>0){

$_SESSION['UserName']=$uname;

echo "<script>window.open('startpage.php','_self')</script>";

}

else {

echo "<script>alert('Username or password is not correct, try again!')</script>";



}

}

?>

Answer 1

You could use php's password_hash and password_verify. It both hashes and salts the password.

//Store $hashedPassword in the database under the password column.
$hashedPassword = password_hash($password, PASSWORD_BCRYPT);

//Or you could use PASSWORD_DEFAULT over PASSWORD_BCRYPT which will default to php's current default method. 
$hashedPassword = password_hash($password, PASSWORD_DEFAULT);


//Query the database and pull out the hashed password.
//Pass the user entered password and the retrieved/stored hash into the password_verify method. 
//If it is a match, it will return true.
if (password_verify($password, $hashedPassword)) {
   // Correct password
}

---

EDIT: Here's how the flow should go to hash/store/verify the password.

(Creating a new user - password)

1. Take the user input (Be sure to cleanse all user input/use prepared statements! Take a look at PDO/MySQLI)

2. Hash the password. $hashedPassword = password_hash($password, PASSWORD_DEFAULT); The parameter $password is the user input.

3. Store the new variable/hashed password $hashedPassword into your database.

At this point, a user has been created and their password/other information has been stored into the database.

(Logging a user in)

1. Take the user input (Be sure to cleanse all user input/use prepared statements! Take a look at PDO/MySQLI)

2. Query your database and retrieve the users password (Select the password from the database where the username/id is equal to what they entered).

3. Pass the users input from step 1, and the retrieved password from step 2 into the method: password_verify($password, $hashedPassword) - $password is the user input, and $hashedPassword is the password that we pulled from our database. This method will return true if the password is a match, and false if not.

-

if (password_verify($password, $hashedPassword)) {

 // Correct password
 //Set the session variables/whatever else you would like to do now that we have verified that the user has the correct password.

} else {

 //Redirect the user/inform them that they have the incorrect username/password combination.

}