1

I have saved the sha512 password to DB and I am trying a simple login screen to check the password. I am always getting a password wrong error.

I echoed the result and all text shows correctly. I am not sure what could be wrong here?

Result of the code:

Actual qwerty123!

48a2d06f950fe0bece5ea4749e9db40e2ea17e6353476331839e967b0b7fbd9e4b6c999177e708385f09aca4c7d79884d9b472f4b39d901fffbd5677a9ed26f7 512

48a2d06f950fe0bece5ea4749e9db40e2ea17e6353476331839e967b0b7fbd9e4b6c999177e708385f09aca4c7d79884d9b472f4b39d901fffbd5677a9ed26f7 inside while

48a2d06f950fe0bece5ea4749e9db40e2ea17e6353476331839e967b0b7fbd9e4b6c999177e708385f09aca4c7d79884d9b472f4b39d901fffbd5677a9ed26f7 db

48a2d06f950fe0bece5ea4749e9db40e2ea17e6353476331839e967b0b7fbd9e4b6c999177e708385f09aca4c7d79884d9b472f4b39d901fffbd5677a9ed26f7 Wrong

Here is the code:

<?php
session_start();
ob_start();
require('db/config.php');

 $password = "qwerty123!";
 
 echo "Actual " . $password;
 
 echo "</br>";
 echo "</br>";
 
 $password = hash('sha512', $password);
 
 echo $password . " 512";
 
 echo "</br>";
 echo "</br>";
 
 $username = "admin";
 
 $query = "SELECT * FROM userdetails WHERE username = '$username'";  
 $result = mysqli_query($conn, $query);  
 if(mysqli_num_rows($result) > 0)  
 {  
    while($row = mysqli_fetch_array($result))  
    { 
        echo $password . " inside while";
        echo "</br>";
        echo "</br>";
        echo $row["password"] . " db ";
        echo "</br>";
        echo "</br>";
        
      if(password_verify($row["password"], $password))
      {
        echo $row["password"] .  " Correct ";
      }
      else
      {
          echo $row["password"] .  " Wrong ";
      }
    }
 }

?>
Sanjana Nair
  • 2,663
  • 6
  • 26
  • 44

1 Answers1

2

You are changing the $password to the hash: $password = hash('sha512', $password);

password_verify — Verifies that a password matches a hash

password_verify ( string $password , string $hash ) : bool

You should pass the password to that function, not the hash.

Remove this line and try again: $password = hash('sha512', $password);

Edit: also reverse the order of the pass and hash:

password_verify($password, $row["password"]);

Miro
  • 8,402
  • 3
  • 34
  • 72
  • But $row["password"] has hash value and not the string and $password also has the hash value and not the string – Sanjana Nair Oct 29 '20 at 02:54
  • Exactly! password_verify takes String and Hash and compares it. It does the conversion for you. You don't need to turn the password into hash. Otherwise you can just use `if($row["password"] == $password)` That will work but the function makes it easier. – Miro Oct 29 '20 at 03:03
  • Hmm. Thanks. I thought password_verify will check if the given parameters are the same. Anyways, I changed it to == easier. Thanks! – Sanjana Nair Oct 29 '20 at 03:06
  • The function will automatically detect the encoding used (sha512 or md5 etc.) so you don't need to know what it is and you can have mixed hashes in the database. Take a look [here](https://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) – Miro Oct 29 '20 at 03:08