Help with understanding password_hash

[I-AM-OBODO]

Hi.

 

I've been trying to understand the concept of password_hash but so far it has eluded me!

 

registration

 

<?php

if(isset($_POST['submit'])){

    $name = $_POST['name'];
    $email = $_POST['email'];
    $password = $_POST['password'];
    //$pass_hash = PassHash::hash($_POST['password']);
    $hash = password_hash($password, PASSWORD_BCRYPT);
    
    $stmt = $pdo->prepare("INSERT INTO hash_test(name, email, password) VALUES(:name, :email, :password)");
    $stmt->execute(array(
    ':name' => $name,
    ':email' => $email,
    ':password' => $hash
    ));
    
    if ($stmt->rowCount() ==1){
        echo "Registration Successful";
    }else{
        echo "There was a problem taking your request";
    }
}
?>

 

The registration is working fine and all fields are inserted. The problem is when loggin in, its giving me an error : unknown variable which is the $hash. The verify parameter is thus:

 

password_verify($password, $hash)

 

I believe the $password is the users password for login, now how/when/where do assign a value to $hash?  since in my db i have email(username) password. Do i need to store the hash separately on the db? Can someone please enlighten me more

 

my login code

 

 
<?php

if(isset($_POST['login'])){
    
$password = $_POST['password'];

$stmt = $pdo->prepare("SELECT email, password FROM hash_test WHERE email=:email AND password=:password");
$stmt->execute(array(
':email' => $_POST['email'],
':password' =>$password
));

//if ($stmt->rowCount() ==1){
if (password_verify($password, $hash)) {
        /* Valid */
        echo "Right";
    } else {
        /* Invalid */
        echo "wrong";
    }
//}
}

?>
 

 

THANKS

 

[Ch0cu3r]

The hashed password needs to be stored in the database.

 

You will run a query to return the hashed password for the username provided. You use password_verify to confirm the user has entered the correct password.

[I-AM-OBODO]

The hashed password needs to be stored in the database.

 

You will run a query to return the hashed password for the username provided. You use password_verify to confirm the user has entered the correct password.

I know that the password ought be stored in database and I also know that the verify is used to check if the password is ok.

 

my question is how to retrieve the password and assign the value to $hash. I could do a while query to store result in $hash but I read somewhere that It's bad practice cos that would expose the hashed password thereby given the security a loophole.

[I-AM-OBODO]

I could do this with a while but was thinking It's bad practice that why I need to know.

 

"select password from table where username = username and password = password";

while ($row = $stmt->fetch

(PDO::FETCH_ASSOC)) {

$hash =$row['password'] ;

}

[Ch0cu3r]

Yes that you need to do. But you will not need the password condition in your query.

 

Example code

if(isset($_POST['login'])) {

    // return the hashed password where the email address matches
    $stmt = $pdo->prepare("SELECT password FROM hash_test WHERE email=:email");
    $stmt->execute(array(
       ':email' => $_POST['email'],
   ));

   if ($stmt->rowCount() ==1) {

       $password            = $_POST['password'];
       list($password_hash) = $stmt->fetch(PDO::FETCH_NUM); // get the hashes password from the results set

       // has the correct password been given for this password hash?
       if (password_verify($password, $password_hash)) {
           /* Valid */
           echo "Right";
        } else {
            /* Invalid */
            echo "wrong";
        }
    }
}

[I-AM-OBODO]

Thanks.