0

Well I'm making a login system with MySQL and PHP. Then I want to crypt the user's password using password_hash and password_verify functions. But it isn't work for me at the time of compare the dehashed password with the hashed password (password_verify func).

So here is my code.

signup.php

$password_hashed = password_hash($data['password'], PASSWORD_DEFAULT, array("cost"=>15));

$statement = $connection->prepare("INSERT INTO users (username, email, password) VALUES (:username, :email, :password)");


if ($statement && empty($result1)) {
   $result = $statement->execute( [
    ':username' => $data['username'],
    ':email' => $data['email'],
    ':password' => $password_hashed,
]);

header('Location: register.php');
$_SESSION['messages'][] = 'Thank you for registration. Check your email then log in.';
exit();
}

login.php

if ($user['username'] === $username && $user['password'] === password_verify($user['password'], $password)) {
    header("Location: panel.php");
    $_SESSION['username'] = $user['username'];
    die();
} else {
    $_SESSION['messages'][] = 'Incorrect user or password!';
    header('Location: login.php');
}

Where $password: $password = $data['password'];

Where $user:

$statement = $connection->prepare('SELECT * FROM users WHERE username = :username');
$statement->execute([':username' => $username]);
$result = $statement->fetchAll(PDO::FETCH_ASSOC);
$user = array_shift($result);

Output: Incorrect user or password!

user14657000
  • 3
  • 2
  • 1
    `password_verify()` returns `true`, not the hash, so `$user['password'] == $boolValue` doesn't make sense – Progman Nov 17 '20 at 18:37
  • Is this academic code to learn about PHP or for a production site? – tadman Nov 17 '20 at 18:38
  • 2
    There is no such thing as a "dehashed" password. The whole point of `password_hash` is to make it as difficult as possible to ever brute-force guess it. They're intended to be [one way only](https://en.wikipedia.org/wiki/Cryptographic_hash_function). – tadman Nov 17 '20 at 18:39

1 Answers1

2

This returns a boolean (true/false) value:

password_verify($user['password'], $password)

So this will never be true:

$user['password'] === password_verify($user['password'], $password)

Once you've selected the user from the database based on the provided username, just verify the password:

if (password_verify($user['password'], $password)) {

A couple notes on your terminology, becase it's important...

I want to crypt the user's password

No, you do not want to encrypt the user's password. You want to "hash" it. It's an important distinction. Encrypted things can be returned to their original form. Hashed things can not. Which is a vital part of password security.

compare the dehashed password with the hashed password

There's no "dehashed" anything. What the internals of password_verify does is hash the provided password and compare that result with the already-hashed stored password. At no point can you in any way convert the stored hashed password back to its original form.

David
  • 208,112
  • 36
  • 198
  • 279