0

I would like to make a check to see if the two hashes are the same, and then add the same ones in the database, that is, if the password is the same as the confirmation password, then the user can register
I tried to use the comparison operator == and the password_verify method, but none of them return true if the password hashes are the same

What can I do to verify that the two password hashes are the same and then be able to add them to the database?

<?php


class SignUp {

    private $email;
    private $password;
    private $password2;


    public function setEmail($e) {
        $this->email = $e;
    }

    public function getEmail() {
        return $this->email;
    }

    public function setPassword($p) {
        $this->password = password_hash($p, PASSWORD_BCRYPT);
    }

    public function getPasswordHash() {
        return $this->password;
    }

    public function setPassword2($p2) {
        $this->password2 = password_hash($p2, PASSWORD_BCRYPT);
    }

    public function getPasswordHash2() {
        return $this->password2;
    }

    public function CheckHashes() {
        if($this->getPasswordHash() == $this->getPasswordHash2()) {
            echo 'This is true'; //Insert into the database
        }
        else {
            echo 'This is false';
        }
        echo "\n";
        if(password_verify($this->getPasswordHash(), $this->getPasswordHash2())) {
            echo 'True'; //Insert into the database
        }
        else {
            echo 'False';
        }
    }
}

$obj = new SignUp();
$obj->setEmail('email');
$obj->setPassword('string');
$obj->setPassword2('string');
echo $obj->CheckHashes();
Anne Rebb
  • 185
  • 1
  • 9
  • Does this answer your question? [How to use PHP's password\_hash to hash and verify passwords](https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords) – Progman Nov 08 '20 at 14:43
  • The first argument for `password_verify()` must be the password entered by the user, not the hash. – Progman Nov 08 '20 at 14:43
  • 2
    Off-topic: there is very little OOP in your code. Getters and setters are not OOP but procedural programming disguised as OOP. The class does not have a constructor, therefore an instance of class is not much better than a plain `array()`. After the statement `$obj = new SignUp();`, `$obj` should be a fully initialized object, ready to be used. This is not the case here. Add a constructor to the class and task it to initialize the instance properties; remove the setters. Remove the getters and let the function `CheckHashes()` access the properties directly. You'll have less code and more OOP. – axiac Nov 08 '20 at 14:52

1 Answers1

2

Getting a completely different result every time you invoke password_hash() with the same plain password is entirely intentional and a very important security measure. It's a defence against pre-computed hash attacks (rainbow tables) and it also mitigates data leaks.

Validating that user has typed the password correctly doesn't need any cryptographic tools. Good old === operator on plain passwords should be enough for most usages.

public function setPassword($password, $confirm) {
    if ($password === $confirm) {
        $this->password = password_hash($password, PASSWORD_BCRYPT);
    } else {
        // Handle input error here
    }
}
Álvaro González
  • 142,137
  • 41
  • 261
  • 360