1

Today I found a php class called CryptoLib it helps in hashing password, but now I'm confused how will I match it with my database password.

Here is how the script is used, this generate a different hash every time I reload the page

$string = $_POST['password'];
echo $hash = CryptoLib::hash($string);

This above line check if hash is a matched or not

$isHashCorrect = CryptoLib::validateHash($hash, $string);
echo ($isHashCorrect ? "TRUE" : "FALSE");

This is my query

mysqli_query($connec, "SELECT * FROM users WHERE email='$email' AND password='$password'");

Now can somebody tell me how can I match the password?

For more info visit https://cryptolib.ju.je/

Elydasian
  • 2,016
  • 5
  • 23
  • 41
  • 2
    Have you not looked under **"Validating Hashes"**? You just need to fetch the password column from the database and match it against the validation example. – Funk Forty Niner Jun 12 '16 at 20:45
  • @Fred-ii- yes i have read but was not able to understand properly, could you please explain via example –  Jun 12 '16 at 20:46
  • 1
    Base yourself on this Q&A http://stackoverflow.com/questions/26997463/password-verify-hash-not-matching-password - it uses `password_hash()`, yet it won't be so hard to simply verify against a returned hash from the library (which I am not familiar with, but shouldn't be so different here, from fetching from db as per the Q&A). – Funk Forty Niner Jun 12 '16 at 20:49
  • Plus, that library returns a 256 length string. Make sure your password column in db isn't 255 but 256+, because that will fail you. I've downloaded that library for testing purposes. So again, base yourself on the link I gave you to compare your input to the password in db. If you haven't gotten any results, let me know and when I get some more time, I'll test it with one of my databases. – Funk Forty Niner Jun 12 '16 at 21:47
  • Another thing. This line `require_once('cryptolib.php');` in their demo file. That might throw you an error if you're on a \*NIX system. Those are case-sensitive if you're on that (instead of Windows). Their file is named `CryptoLib.php`. Btw, any particular reason you're wanting to use that library rather than `password_hash()`? – Funk Forty Niner Jun 12 '16 at 21:54
  • @Fred-ii- Thank i followed that link now it's working –  Jun 12 '16 at 22:06
  • 1
    @Fred-ii- if you would like to get to vote then write it as answer –  Jun 12 '16 at 22:17
  • It has been done, *cheers* – Funk Forty Niner Jun 12 '16 at 22:26

1 Answers1

0

You basically need to compare the supplied password with the hash that is in the database through a SELECT query and iterate over the given row, just as you would for PHP's password_verify() function.

An example of this and where you bind the result to the comparison:

$username = "email@example.com";
$password = "pass";

    if ($stmt = $con->prepare("SELECT `password` FROM `table` WHERE email = ? ")) {

        $stmt -> bind_param("s", $username);

        /* Execute it */
        $stmt -> execute();

        /* Bind results */
        $stmt -> bind_result($result);

        /* Fetch the value */
        $stmt -> fetch();

        /* Close statement */
        $stmt -> close();
    }

$isHashCorrect = CryptoLib::validateHash($result, $password);
echo ($isHashCorrect ? "TRUE" : "FALSE");

While using a prepared statement. Something you should use in order to help protect against a possible SQL injection which you are presently open to.

Also noting from my comments:

That library returns a 256 length string. Make sure your password column in your database isn't 255 but 256+, because that will fail on you silently.

You might even like to use PHP's password_hash() function instead, yet that choice is entirely yours.

Foonotes:

This line require_once('cryptolib.php'); from their demo file might throw you an error if you're on a *NIX system. Those are case-sensitive if you're on that (instead of Windows). Their file is named CryptoLib.php and is not the same as cryptolib.php on certain platforms.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • No. You should check the password in the WHERE clause. Then all you have to check yourself is that there was a result row. That way the database is responsible for all hashing. – user207421 Jun 17 '16 at 03:54
  • 1
    @EJP that is not the way it works. In the above, `$result` is the hashed password saved prior. You never have the password in the where clause. You verify it via a verify function. Anytime someone has the password in the where clause you know they are doing it wrong. – Drew Jun 18 '16 at 00:18
  • @EJP After looking over your PHP (tag) score and password-related answers, you're not impressing me one bit. Yet alone your most likely downvote. You can do what you want and downvote like a madman for all I care, yet still find it's uncalled for, that's if that is your downvote. I know my PHP and password coding quite well, thank you. Let's not compare apples with oranges here. – Funk Forty Niner Jun 25 '16 at 13:26
  • @Drew You can have a read at what I left that other guy, I think my tag/rep score speak for themselves. Btw, have a look at my updated profile; it's self-explanatory. Thanks for "keepin' six" on me ;-) – Funk Forty Niner Jun 25 '16 at 13:26
  • Fred, @EJP , I meant to post a separate "throw-away" answer to the question to show in some detail *why* the `where clause` is a terrible place to compare passwords. I just never got around to it and assumed people could google it. I will within a week. – Drew Jun 25 '16 at 13:36