Jump to content

New to Password Hashing


RedInjection
Go to solution Solved by Psycho,

Recommended Posts

Hello all,

 

I currently have a login form that works with username and password in plain text which reads from a table, I have created a register form which succesfully creates a hash using password_verify function but I am having problems what it is for the login form to check the password against the hash and allow the user to continue.

    $timedate = date("F j, Y, g:i a");
    if (isset($_POST['login'])) {
        $username = $_POST['username'];
		
        $password = password_verify($_POST['password'], $hash);
		
        if (isset($_POST['remember'])) {
            session_set_cookie_params('604800');
            session_regenerate_id(true);
        }
        if ($mysqli->connect_errno) {
            echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
            exit();
        }
        $sql    = "SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1";
        $result = $mysqli->query($sql);
        if ($result->num_rows != 1) {
            echo "<tr colspan=2><td width=0%></td><td width=100%><strong><font color=red>Invalid Login</strong></font></strong></td></tr>";
        } else {
            $user                 = $result->fetch_array();
            $_SESSION['user_id']  = $user['id'];
            $_SESSION['username'] = $user['username'];
            $_SESSION['remember'] = $user['remember'];
            $sql                  = "UPDATE users SET lastlogin='" . $timedate . "'WHERE id={$_SESSION['user_id']}";
            $result               = $mysqli->query($sql);
            redirect_to("editprofile.php");
        

I am using PHP 5.5 and from what I understand password_verify is a function and I have noticed on from reading that there is a $hash variable

$password = password_verify($_POST['password'], $hash);

Is the $hash something I have to declare and read from mytable or is this part of the function within password_verify?

 

Thank you your help in trying to understand this function :)

Link to comment
Share on other sites

  • Solution

There's quite a few things which need to be "fixed" in this code, not the least of which is the password verification. But, we can start with that.

 

When a user creates their password, use the function password_hash() to generate a hash value and save it to the DB. Then, when a user attempts to log in, run a DB query to find the record matching just the username. Take the hash value from the DB and the password the user provided on the login and use the password_verify() function to see if the password is valid.

 

FYI: Font tags have been deprecated for over a decade!

Edited by Psycho
Link to comment
Share on other sites

Your code is wide open to SQL injection attacks and leaks critical information about your database system by showing all internal SQL errors to the user.

 

I strongly recommend you learn the basics of MySQLi before you even think about writing a complete application.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.