-1

I can see that this question has been asked quite a lot of times and answers have been given, but your fresh help will be highly appreciated. I've been trying to hash a password before submitting it to the database using the password_hash(). It works, but the password_verify() doesn't work. Ive tried editing the in more ways than i can imagine,still doesn't work. Meanwhile, i've been using the sha512 method before now but i noticed that the generated string is the same for ALL the passwords for this particular page - the other pages and their respective tables in the database are not affected. Here's the password_hash file:

function test_input($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
  return $data;
}
include('config.php');
$conn = mysqli_connect(DB_DSN,DB_USERNAME,DB_PASSWORD,'kqusers');
$name = test_input($_POST['name']);
$pName = test_input($_POST['pName']);
$month = $_POST['month'];
$day = $_POST['day'];
$year = $_POST['year'];
$date = $month." ".$day." ".$year;
$class = $_POST['level'];
$username = test_input($_POST['username']);
$password = test_input($_POST['pass']);
$enc_password = password_hash($password, PASSWORD_DEFAULT);
$insert = mysqli_query($conn,"INSERT INTO student_user (name, parent_name, dob, class, username, password) VALUES ('$name', '$pName', '$date', '$class', '$username', '$enc_password')");
if ($insert) {
    echo "inserted";
}
else{
    echo "error";
}
mysqli_close($conn);

Now, the password_verify file:

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
 }
include('config.php');
$conn = mysqli_connect(DB_DSN,DB_USERNAME,DB_PASSWORD,'kqusers');
$username = test_input($_POST['username']);
$password = test_input($_POST['password']);
$user_qry = mysqli_query($conn,"SELECT username FROM student_user WHERE username= '".$username."'");
$user=mysqli_fetch_assoc($user_qry);
$num_users = mysqli_num_rows($user_qry);
if ($num_users == 0) {
    echo "user_error";
}
else{   
    $pass_qry = mysqli_query($conn,"SELECT password FROM student_user WHERE username= '".$username."'");
    $pass = mysqli_fetch_assoc($pass_qry);
    $enc_password = $pass["password"];
    $verify = password_verify($password, $enc_password);
    if ($verify) {
        echo "login";
    }
    else{
        echo "error";
    }
}
mysqli_close($conn);

The password field is varchar(255) and i think i've taken all precautions i know. I've tried running a few lines of code to see where i could be getting it wrong. In this file, i initialize a variable with a string 'jim', hashed it and then verified it. But when i insert the same 'jim' as a password into the database after hashing it and i try to verify it, it returns false. This is what i mean:

$pass = "jim";
$enc_pass = password_hash($pass,PASSWORD_DEFAULT);
$ver = password_verify($pass,$enc_pass);
if($ver){
    echo "yes";
}
else{
    echo "no";
}

The above code displays 'yes'. But when i insert the hashed 'jim' via the non-responsive page to the DB and try verifying it against the hashed string like this:

$pass = "jim";
$enc_pass = password_hash($pass,PASSWORD_DEFAULT);
$ver = password_verify($pass,'$2y$10$puPHBPrgSM2gPoECXH43vev6c9PCSDoOpdGwEryL/WsZTqR8ofZ8a');
if($ver){
    echo "yes";
}
else{
    echo "no";
}

It returns 'no'.

jaypee
  • 11
  • 2

1 Answers1

2

When hashing, you are actually hashing an empty string, not the password. The following returns true for the hash you provided:

password_verify('','$2y$10$puPHBPrgSM2gPoECXH43vev6c9PCSDoOpdGwEryL/WsZTqR8ofZ8a');

This means that the $password variable in your password hash file is actually empty. That would also explain why the output from the sha512 hash was the same for every password, which obviously should never happen. The chances of finding 2 different strings with the same sha512 hash is essentially zero.

My guess is you're confusing $_POST['pass'] and $_POST['password'] since you use the latter in your verify script, however this is only a guess.

On another note, you need to stop putting variables directly into your SQL queries as this leaves your script open to SQL injection attacks. Instead use prepared statements with bound parameters.

Mike
  • 23,542
  • 14
  • 76
  • 87
  • You're absolutely right! Turns out that on the page registration page, I have 3 variables: pass1, pass2 and pass. The pass1 and pass2 variables are meant to authenticate the passwords used in registering while pass variable is initialized as an empty string. The idea was to assign the value of pass1 into pass. In doing this I actually wrote pass == pass1(which leaves the pass variable as an empty string still) instead of pass = pass1. I'm so ashamed of myself, but thanks for putting my nightmare to an end – jaypee Jul 18 '18 at 12:16