Validating users / Password_verify / _hash

[cscodismith]

I am picking up a project I had earlier that I have never finished and am trying to get it finished with the help from the css-tricks community. I have the registration function working great (It places new users into the database). The only problem that I am having with the project is validating the users and checking the hashed passwords. The messed up code is in the login.php file. This is the last step that I need to complete and am a bit lost on how to do so. I have already read an article about password hasing and password verify but haven’t really got proper instructions from it to complete the task.

Best regards,
Codi

[drose379]

Can you explain why you are making the query to the DB in the login.php script? Seems like you’re not doing anything with the results

[cscodismith]

Not quite sure why I am. Didn’t know that it belongs elsewhere – I am currently just trying to create a functional login / registration system. I am not yet using the script live to have users navigate around the page / special pages for those users that have logged in. Just a simple registration / login project I am trying to complete here.

[drose379]

Sure, what you need to do before you do any coding is have a map of each step you want to accomplish, all the way up to the working system. Do you have that ready? If not, create it. This will help you see where you are getting confused, and will help you get better and more useful help from others.

[cscodismith]

Well no not really at this time. I am just trying to get this script finished so that I can use this on any upcoming projects that I may have. Its more of a source to go back to and grab when I want to put a login / registration function onto a website I am working on. This is going onto HeartFX but there is nothing more to this project other then making it functional at this time.

[drose379]

OK, can we have a list of what you DO have working, and what you DONT have working? And maybe we can go from there.

[cscodismith]

My apologies everything is working fine other then verifying users upon login (Checking to make sure the user is registered into the database as well as the password matches the hashed password they enter) – Lines 41-46 in the login.php file.

[drose379]

Ok, are you saving the plain text password in the DB, or are you saving the hash?

[cscodismith]

It stores a hashed password when someone registers via the register.php page. Here is a screenshot of what my database structure looks like and here is a screenshot of what is entered into the database when a user is registered.

[drose379]

Are you sure the hash is only 30 characters long?

[cscodismith]

I think its because of the structure of the database field(s) password and cpassword both are set to a VARCHAR of 30. Do I need to change it to something else?

[drose379]

Well that depends on how long the hash is, look up the password_hash() function in the php.net docs and see how long the resulting hash is. Then set the password column length to the expected length of the hash.

[drose379]

The docs say that a 255 char column would be a good choice, since hash lengths with the password_hash function may change over time.

[cscodismith]

I just changed it to the proper character amount of 60. That was the maximum amount of characters that it generated when the varchar was set to 255.

[drose379]

Ok, this is a start. Now what do you think you want to do next? Take the users plain text password input, and compare it with the hashed password you have saved that corresponds to the username they put in, right?

[Author]

Posts