4

I wrote this code a while ago which I am now reviving for a new project but it does not seem to work and I cant for the life of me figure out why it will not verify the hash.

The 2 functions run are below, when registering the first passwordEncrypt() function is called.

When trying to login the checkPassword() function is called, instead of logging in and echoing 'yes' it gets to the section where it echos 'no'.

So please if a fresh set of eyes can have a look many thanks in advance!

// Encrypt user password
function passwordEncrypt($password) {
    // set the salt
    $salt = substr(md5(time()), 0, 22);

    // encrypt using blowfish with a load of 10
    $password = crypt($password, '$2a$10$' . $salt);

    // return the encrypted hash
    return $password;
}

/*
    Check password function when logging in
    first we select the password from the supplied username from the database
    // get the row and set the hash to the currect password from the database
    //run the salts etc and check to see if the passwords match
*/
function checkPassword($userName, $password, $db){
    $sql = 'SELECT password FROM users WHERE userName = :userName';
    $stmt = $db->prepare($sql);
    $stmt->bindValue(':userName', $userName, PDO::PARAM_STR);
    $stmt->execute();

    $numRows = $stmt->rowCount();

    if ($numRows > 0) {
        $row = $stmt->fetch();
        $hash = $row['password'];

        // run the hash function on $password 
        $fullSalt = substr($hash, 0, 29); 
        $new_hash = crypt($password, $fullSalt); 

        // Check that the password matches
        if($hash == $new_hash) {
            echo 'yes';
            exit;
            return true;
        } else {
            echo 'no';
            exit;
            return false;
        }
    } else {
        echo 'way';
        exit;
        return false;
    }
}

I have registered a password and then tried it and this is what it returns

Password:$2a$10$023d3086e8462207a1fecueWH4Ub40MWbQJ7F9 Entered :$2a$10$023d3086e8462207a1fecueWH4Ub40MWbQJ7F9hapWU3lYxlg3AAa no

So it is adding on hapWU3lYxlg3AAa

Tom C
  • 55
  • 1
  • 1
  • 7

1 Answers1

2

"column length is what? 40? 50? 60? other? $2a$10$023d3086e8462207a1fecueWH4Ub40MWbQJ7F9 implies being too short. – Fred -ii-"

and

"ah 45 in the database – Tom C"

There you go. The column's length is too short and needs to be 60.

The manual suggests 255.
Slight correction: 255 is what the manual on password_hash() suggests to use. However, it would be best to actually use 255 for what the manual also suggests to keep in mind for the future and considers it to be "a good choice".

You need to clear your rows, alter your column to be 60 or greater, then create a new hash and login again.

$2a$10$023d3086e8462207a1fecueWH4Ub40MWbQJ7F9hapWU3lYxlg3AAa

is 60 long

Footnotes:

It has been said that some find it hard to work with crypt(), and using password_hash() or the compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/ is actually easier. The choice is yours.

See this Q&A on Stack also:

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • Fantastic mate, thank you all it needed was a fresh pair of eyes. Didnt think about the field length when rebuilding the database. Thanks again – Tom C Mar 31 '16 at 13:28
  • @TomC You're most welcome Tom. Soon as I saw your code and looked legit, my *Spidey sense* tingled on the column's length. *Cheers* – Funk Forty Niner Mar 31 '16 at 13:29
  • haha checking column lengths has gone straight in to my checklist for future, that spidey sense of yours is on point! – Tom C Mar 31 '16 at 13:43
  • @TomC One must always listen to their *little voice* ;-) Btw, I've made an edit to my answer if you'd like to reload it. I've added some additional information that you may find interesting to read. *Cheers* – Funk Forty Niner Mar 31 '16 at 13:47
  • Thanks Fred :) If I could upvote more I would, appreciated :D – Tom C Mar 31 '16 at 13:55