-2

Password hash not work properly in my script.

Here my integration:

register.php

    $password = password_hash(md5(sha1($_POST['password']) . $salt), PASSWORD_DEFAULT);

And here how i verify it:

Login.php

    $password = md5(sha1($_POST['password']) . $salt);

    $check = $mysqli->query("SELECT password FROM accounts WHERE email = '$email'");
    $passw_hash = $check->fetch_assoc();
    if (password_verify($password, $passw_hash["password"])) {
        // LOGIN SUCCESSFULLY
    }

My PHP version: 5.5

Or if you have any other method to encrypt password let me know.

UPDATE

1- Modified password's column size to VARCHAR (250) from VARCHAR (60)

2- Removed all other encryptions like md5, sha1, and cleaning the code to protect password against sql injections.

Example of hashed password:

Pure TEXT: google

Hashed: $2y$10$0Bd5Uv09Jg50QZZ4Iz7F2.WGV3MpYkScg9vuTONWmUCMYPJ3qDukC

I insert a new member to my database with prepared statements using mysqli:

        $st = $mysqli->prepare("
                                    INSERT INTO
                                        accounts(
                                            username,
                                            password,
                                            date
                                        ) VALUES (
                                            ?,
                                            ?,
                                            ?
                                        )");
        $st->bind_param('sss', $username, $password, $date);
        $st->execute();
Jack Panston
  • 1
  • 2

1 Answers1

4

Since you're using password_hash() you do not want to use any additional hashing, so remove the md5() and sha1() functions.

$password = password_hash($_POST['password'], PASSWORD_DEFAULT);

Furthermore, remove the functions from your login:

$password = $_POST['password'];

By adding the other functions you're destroying the elements password_hash() and password_verify() need to do their jobs. Adding the two additional hashing mechanisms also don't make the hash any more secure.

Make sure you don't escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.

In addition Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe! Don't believe it?

Community
  • 1
  • 1
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
  • What do you mean by "not solved"? The important thing to note here is the password_hash() can generate some very lengthy text (the current default is 60 characters), so making the field larger now will allow for the length needed. Secondly the PHP team is adding more algorithms to the method which means the hash can and will grow. We also do not want to limit our user's ability to use the password or passphrase of their choice. It's best to leave room for the changes. What size is the column in your database where you're storing the passwords? – Jay Blanchard Jul 19 '16 at 20:02
  • My size is VARCHAR(60) – Jack Panston Jul 19 '16 at 20:06
  • Even though that should work, make it larger. Can you share one of the hashes after you fixed the code? – Jay Blanchard Jul 19 '16 at 20:07
  • You're also assuming your query is working. Are there any errors in your error logs? Can you post the markup for your login form? – Jay Blanchard Jul 19 '16 at 20:10
  • Here an example of one of the hash: `$2y$10$0Bd5Uv09Jg50QZZ4Iz7F2.WGV3MpYkScg9vuTONWmUCMYPJ3qDukC` for password: `google` – Jack Panston Jul 19 '16 at 20:19
  • And not that i modified size to VARCHAR(250). – Jack Panston Jul 19 '16 at 20:21
  • @JackPanston can you update question with your updated code? Can you also show the `insert` you are using? – chris85 Jul 19 '16 at 20:22
  • The hash looks OK now Jack. Can you add the code @chris85 is asking for? – Jay Blanchard Jul 19 '16 at 20:28
  • Yes i just did that, you can check :) – Jack Panston Jul 19 '16 at 20:31
  • Can you `print_r($passw_hash);` after you run the `SELECT` query and fetch the results? – Jay Blanchard Jul 19 '16 at 20:33
  • I'm still not clear what actually is happening. Are you having issues with the insert or check? Did you remove the `md5(sha1` hashed data from db? – chris85 Jul 19 '16 at 20:35
  • 1
    Hi, thank's all for your help ! @JayBlanchard problem was when i fetch the password hash from database ! and now solved, sorry for your time :) – Jack Panston Jul 19 '16 at 20:45