0

So i have this code and am trying to get the hash value from the database where there is 'd8578edf8458ce06fbc5bb76a58c5ca4' How can i achieve that by referencing to the hash in the database?

public function hashPassword($string){
   return password_hash($string, PASSWORD_DEFAULT);
}

public function login($phonenumber, $password){
        
   $users = DB::select("SELECT * FROM $this->tableName WHERE 
   (user_phonenumber = '$phonenumber' OR user_email='$phonenumber') 
   AND user_state !='blocked'");

   if (count($users)>0){
        if(password_verify($password, 'd8578edf8458ce06fbc5bb76a58c5ca4')) 
        {
            @session_start();
            $subscriptionModel = new SubscriptionModel();
            $isRegistered = $subscriptionModel->isSubscribed($users[0]->user_id);
            $userToSession = $users[0];
            $userToSession->isRegistered = $isRegistered;
            $_SESSION["user"] = $userToSession;
            return $users[0];
        }
   }return false;
}
Barmar
  • 741,623
  • 53
  • 500
  • 612
little oghara
  • 1
  • 1
  • `$users[0]->password`. Replace `password` with the actual name of the column that holds the hashed password in the DB. – Barmar Jul 08 '22 at 15:12
  • Your script is vulnerable to [SQL Injection Attack](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even if [you are escaping variables, its not safe](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string%5D)! You should always use [prepared statements and parameterized queries](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either MYSQLI or PDO instead of concatenating user provided values into the query. – Barmar Jul 08 '22 at 15:13
  • 1
    d8578edf8458ce06fbc5bb76a58c5ca4 is not a value compatible with password_verify() – Your Common Sense Jul 08 '22 at 15:18
  • d8578edf8458ce06fbc5bb76a58c5ca4 was the hash value of the password – little oghara Jul 09 '22 at 04:49

0 Answers0