0

I created a default username and password in mysql table with this command.

 insert into users (email, password) values('admin', md5('1234'));

and then tried to verify with php; 

password_verify($_POST['password'], $results['password'])

but, it is not verified.. but, if I create a username and password with

$stmt -> bindParam(':password', password_hash($_POST['password'], 
PASSWORD_BCRYPT));

it can be verified..

My question:

i'd like to create default username and password with mysql command and want web-site(php) to verify it with user input.

to do this, which mysql function do I need to use for the password encryption? md5() seems not to be equal to password_hash in php..

thanks a lot

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
user7099140
  • 21
  • 1
  • 1
  • 1
  • 3
    mysql doesn't have a equivalent for `password_hash`, that's how you're suppose to store it. You store the hash, not the plain text password. You're doing fine. – Andrei Nov 01 '16 at 10:32
  • 3
    Not a duplicate. The questions are not even remotely related. – Andrei Nov 01 '16 at 10:36
  • @Andrew & user7099140, mysql do have equivalent for `password_hash` that is `PASSWORD` function [MySql Password Hashing](http://dev.mysql.com/doc/refman/5.7/en/password-hashing.html) – Haridarshan Nov 01 '16 at 10:42
  • 3
    `PASSWORD` and `password_hash()` are 2 very different things. The result from one will not correspond with the other. – Andrei Nov 01 '16 at 10:56
  • I find it rather hard to believe that what you posted where you say it works does work. – Funk Forty Niner Nov 01 '16 at 11:14
  • @Haridarshan No, those are two different animals and produce two different hashes (and of different lengths). Please retract your comment and the answer, they're both wrong. – Funk Forty Niner Nov 01 '16 at 11:18
  • The verification of password hashes cannot be done with pure SQL, because the hashes are salted and cannot be searched for. Instead one needs to find the stored hash by username and afterwards it can be verified in PHP. I tried to explain this together with example code in this [answer](http://stackoverflow.com/a/38422760/575765). – martinstoeckli Nov 01 '16 at 21:00

1 Answers1

4

First lets clarify some things:

password_hash and password_verify are purely PHP functions. They have nothing to do with MYSQL.

password_hash does not use the MD5 algorithm for hashing you password. You can find more information about it in the docs.

So how do we use this and how does the workflow look like?

$hash = password_hash('your_password'); // Generates hash $verified = password_verify('your_password', $hash) // Verifies password against hash var_export($verified) // Would echo boolean true

In your case, you should:

  1. Store the Hash in the database when you store a user
  2. For logging someone in, you fetch the users hash from the database
  3. Verify the password against the hash, just like we did above.

I hope it helps.

Patrick
  • 203
  • 1
  • 9
  • It should also be noted that, md5 and password_hash() produce two different lengths, and the OP should make sure that their password column's length be long enough to accomodate the (60 length, min.) string. – Funk Forty Niner Nov 01 '16 at 11:21