How do I verify a hashed password?

Question

Upon registering a new user, the code uses BCRYPT and MD5 to create a hash, like this:

$password = $mysqli->escape_string(password_hash($_POST['password'], 
PASSWORD_BCRYPT));
$hash = $mysqli->escape_string( md5( rand(0,1000) ) );

Once user name, password, and hash are in the SQL database, I want to verify the password. The problem is that the code below is comparing the hashed password to the password typed into the form...

How do I compare the password typed into the form to the hashed password stored in the database?

I have the following code:

function getLogin($conn) {
  if (isset($_POST['loginSubmit'])){


  $email = $_POST['email'];
  $password = $_POST['password'];

  $sql = "SELECT * FROM users WHERE email='$email' AND password='$password'" ;
  $result = mysqli_query($conn, $sql);
  if(mysqli_num_rows($result) == 1) {
    if($row = $result->fetch_assoc()) {
      $_SESSION['id'] = $row['id'];
      $_SESSION['email'] = $row['email'];

      header("Location: indexcomments_merge.php?logiinsuccess");
      exit();
    }
  } else {
      header("Location: indexcomments_merge.php?logiinfailed");
      exit();
   }
  } 
}

You need to hash the password that is typed into the form, and compare that to the hash in the database. — Robby Cornelissen, Dec 25 '18 at 06:43
Just repeat the `$password = $mysqli->escape_string(password_hash($_POST['password'], PASSWORD_BCRYPT));` in the checking code. (BTW, MD5 is probably too weak for storing passwords) — Ken Y-N, Dec 25 '18 at 06:43
maybe your question already answered on this: https://stackoverflow.com/questions/26536293/php-password-hash-password-verify — Sofyan Thayf, Dec 25 '18 at 06:43
Don't escape (which you aren't doing later anyway), and don't use the MD5. Parameterize the query(s). Always parameterize user input. — user3783243, Dec 25 '18 at 06:47
You also appear to never store the random integer so `$hash` will never be useful for you (unless you brute force it). — user3783243, Dec 25 '18 at 06:49
on a different note, you shouldn't use MD5 for password -- https://md5decrypt.net/en/ — Book Of Zeus, Dec 25 '18 at 06:56
Interestingly this question has most "Don't Do in PHP" topics — Ergec, Dec 25 '18 at 07:15

score -1 · Answer 1 · answered Dec 25 '18 at 07:03

-1

Its just simple you have to convert password from form to MD5 to compare it.

$password=md5($_POST['password']);

I hope it will help you.. Thank You.

answered Dec 25 '18 at 07:03

Anadkat Bhavik

111
1
6

2

`md5()` is a bad idea. – Rotimi Dec 25 '18 at 07:39

How do I verify a hashed password?

1 Answers1