pass in password_hash field with pdo

Question

I am trying to process a password as md5 into the database, this is the concerned code:

include_once("config.php");
session_start();

if(isset($_POST['signup'])){
    $name = $_POST['name'];
    $email = $_POST['email'];
    $pass = $_POST['pass'];

    $insert = $pdo->prepare("INSERT INTO users (name,email,pass)
                                values(:name,:email,:pass) ");
    $insert->bindParam(':name',$name);
    $insert->bindParam(':email',$email);
    $insert->bindParam(':pass',$pass);
    $insert->execute();
}elseif(isset($_POST['signin'])){
    $email = $_POST['email'];
    $pass = $_POST['pass'];

    $select = $pdo->prepare("SELECT * FROM users WHERE email='$email' and pass='$pass'");
    $select->setFetchMode();
    $select->execute();
    $data=$select->fetch();
    if($data['email']!=$email and $data['pass']!=$pass) {
        echo "invalid email or pass";
    }
    elseif($data['email']==$email and $data['pass']==$pass) {
        $_SESSION['email']=$data['email'];
        $_SESSION['name']=$data['name'];
        header("location:profile.php"); 
    }
}

What length in the db would be appropriate to store this hashed password?

And how do I use this:

$hashed_password = password_hash($pass, PASSWORD_DEFAULT);
     var_dump($hashed_password);

and the if statement if the password was ok?

Why don't you try and see? It looks about right, aside from the fact that `md5()` is old and broken. You should look into using `password_hash()` instead — Qirel, Apr 18 '17 at 22:24
instead of using `md5`, use `password_*` api instead http://stackoverflow.com/questions/30279321/how-to-use-password-hash — Kevin, Apr 18 '17 at 22:24
I changed my code to use password_hash, but I am not sure how wrap the if statement around my insert — user2371684, Apr 18 '17 at 22:38
`password_verify()` runs on SELECT; that's not shown. What's the password column length; not still 32 long I hope? That's what MD5's length is. — Funk Forty Niner, Apr 18 '17 at 22:40
@user2371684 you can ping me back like I did here if you want. — Funk Forty Niner, Apr 18 '17 at 22:42
You are in a signup process so you would not be verifying the hash at this stage. You verify the hash as part of the login process, to check the user entered the correct password — RiggsFolly, Apr 18 '17 at 22:54
@Fred -ii- I did update the code now, but uncertain how to implement the password_hash code — user2371684, Apr 18 '17 at 23:17
Have a look at this answer http://stackoverflow.com/a/29778421/1415724 — Funk Forty Niner, Apr 18 '17 at 23:34

score 2 · Accepted Answer · edited Jun 20 '20 at 09:12

2

Its really quite simple once you read the manual or see an example in a tutorial. See comments in the code for details

<?php
include_once("config.php");
session_start();

if(isset($_POST['signup'])){
    $name = $_POST['name'];
    $email = $_POST['email'];
    
    // at signup you hash the user provided password
    $pass = password_hash($_POST['pass'], PASSWORD_DEFAULT);

    $insert = $pdo->prepare("INSERT INTO users (name,email,pass)
                                values(:name,:email,:pass) ");
    $insert->bindParam(':name',$name);
    $insert->bindParam(':email',$email);
    $insert->bindParam(':pass',$pass);   // this stores the hashed password
    $insert->execute();
}elseif(isset($_POST['signin'])){
    $email = $_POST['email'];
    $pass = $_POST['pass'];

    // as the password on the DB is hashed you cannot use the
    // plain text password in the SELECT here as it wont match
    $select = $pdo->prepare("SELECT * FROM users WHERE email=:email");

    // no idea what this was doing
    //$select->setFetchMode();
    $select->bindParam(':email',$email);
    $select->execute();

    $row = $select->fetch(PDO::FETCH_ASSOC);

    // verify the plain text password against the 
    // hashed value from DB in $row['pass']
    if( password_verify($pass, $row['pass']) ){
        $_SESSION['email'] = $data['email'];
        $_SESSION['name']  = $data['name'];
        header("location:profile.php"); 
        exit;
    } else {
        echo "invalid email or pass";
    }
}

And as to the length of the column in the database that you need to hold this hashed value, it is documented in the manual

The following algorithms are currently supported:

PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).

PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.

edited Jun 20 '20 at 09:12

Community

1
1

answered Apr 18 '17 at 23:39

RiggsFolly

93,638
21
103
149

thanks :) one thing I was wondering, to hand this hashed password, what varchar length should I use in the database? – user2371684 Apr 18 '17 at 23:51
See additional info in the answer – RiggsFolly Apr 18 '17 at 23:54
just a small comment, there should be a extra ending ) in the if statement on line 35 – user2371684 Apr 19 '17 at 00:14
I tested out the code today, after inserting new credentials, the signup, the page goes blank – user2371684 Apr 19 '17 at 08:23
Thats because when you run the `signup` code, you dont actually output anything to the browser. Add an `echo 'registered';` or something more interesting – RiggsFolly Apr 19 '17 at 08:26
I wanted the user, after signup to be directed back to the index page, where the signin form is. So i tried this after the signup execute command: header("location:index.php"); – user2371684 Apr 19 '17 at 08:43
Try `header('Location: index.php'); exit;` – RiggsFolly Apr 19 '17 at 08:44
same result, blank page and no update to the db – user2371684 Apr 19 '17 at 08:50
Add your config.php to your question please – RiggsFolly Apr 19 '17 at 08:53
that config.php works with all other crud operations I have, and also with my previous code without the encryption – user2371684 Apr 19 '17 at 08:56
Ok did you set PDO to throw exceptions? Thats all I really wanted to know – RiggsFolly Apr 19 '17 at 08:58
These additional questions dont really match you original question. Maybe you should ask another question – RiggsFolly Apr 19 '17 at 09:06
I forgot that in my config I had ini_set('display_errors', 0); changed it to ini_set('display_errors', 1); and now I get this error: Fatal error: Call to undefined function password_hash() line 10 which is: $pass = password_hash($_POST['pass'], PASSWORD_DEFAULT); – user2371684 Apr 19 '17 at 09:09
I guess you are using a VERY OLD version of PHP. What version of PHP are you using? – RiggsFolly Apr 19 '17 at 09:11
MySQL clientversion: 5.0.83 on the remote server. This is pretty antique :P is there a risk that password_hash won't work with such a old version? – user2371684 Apr 19 '17 at 09:13
I suspect it has to be ateast php5.5 – user2371684 Apr 19 '17 at 09:18
The MYSQL version is irrelevant. Dont suspect, be sure. `password_hash()` only became available as of PHP5.5. If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) – RiggsFolly Apr 19 '17 at 09:20
will find out, and get back, otherwise I will use md5, but this is only for learning purposes – user2371684 Apr 19 '17 at 09:25

pass in password_hash field with pdo

1 Answers1

Linked