0

I need to create a login system for an application that will work off the site and I need it to connect to the standard WordPress database but the passwords in the database are protected by Hash.

I would like to know if you can cancel the Hash encoding or if there is any php script that can get the user's original password without being decoded by Hash.

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully.<br>";

$sql = "SELECT user_pass FROM testeUsers WHERE user_email = '".$loginUser . "'";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
  // output data of each row
  while($row = $result->fetch_assoc()) {
    if($row["user_pass"]== $loginPass){
        echo "Login Sucess";
    //colocar as funções aqui
    }
    else{
        echo "wrong password";
    }
  }
} else {
    echo "User not found";
}

The problem is that this PHP code takes the text that is written in the user_pass field in the database and that user_pass is not the user's real password because it is in Hash, so my user will never be able to log into the system even his password being correct.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Edi W
  • 13
  • 1
  • 2
    You'll need to use [password_verify](https://www.php.net/manual/en/function.password-verify.php) to verify the password. (if that's how Wordpress hashes the password, I'm not sure) All passwords should be hashed to prevent being read by hackers. – aynber Nov 17 '20 at 17:44
  • 1
    When you get the user password, you hash it and compare it with the one in the database. Hopefully, you are using https. – Tarik Nov 17 '20 at 17:44
  • 2
    And no, you cannot unhash the password. A hash is a one way function. See https://en.wikipedia.org/wiki/One-way_function – Tarik Nov 17 '20 at 17:47
  • MySQL or SQL Server? Please remove the incorrect tag. – Dale K Nov 17 '20 at 19:18
  • 1
    Does this answer your question? [How can I decrypt a password hash in PHP?](https://stackoverflow.com/questions/24024702/how-can-i-decrypt-a-password-hash-in-php) – Dharman Nov 17 '20 at 23:59

1 Answers1

2

No, the entire point of the hash is to be a one-way function - i.e. you can't easily reverse it. If you could easily reverse it, presumably hackers could also easily reverse it and the hash would be pointless.

In order to compare the passwords, you need to hash the password that the user entered with the salt used in the database, and then do the comparison. I believe that there is a standard function to do this in PHP, but I truthfully don't recall its exact name.

EJoshuaS - Stand with Ukraine
  • 11,977
  • 56
  • 49
  • 78
  • While I fully agree with this answer, I have to say that this is an unnecessary duplicate and I will try to get it removed from the site. There is plenty of similar questions in PHP tag already and we don't need yet another one. Please continue contributing to PHP tag, but focus on better questions that are not obvious duplicates. Your contributions are appreciated. – Dharman Nov 18 '20 at 00:02