Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End Validating users / Password_verify / _hash

  • This topic is empty.
Viewing 12 posts - 16 through 27 (of 27 total)
1 2
  • Author
    Posts
  • September 29, 2015 at 7:43 pm #208990
    cscodismith
    Participant

    Yes but where would I start to do this and how can I verify that the plain text password matches the hashed password? Do I put it in the following lines of code in login.php file?

    if (password_verify($password, $hash)) {
            echo "You're in!";
            // Password is correct
        } else {
            echo 'Password is invalid!';
            // Password is incorrect
        }
    September 29, 2015 at 7:44 pm #208991
    drose379
    Participant

    That looks right yes. But you need to pull the hash from the database first, would you know how to do that?

    September 29, 2015 at 7:45 pm #208992
    cscodismith
    Participant

    Unfortunately no I do not and just to clarify that is correct here is what is defined by $password and $hash

    $password = $_POST['password'];
$hash = password_hash($password, PASSWORD_DEFAULT);
    September 29, 2015 at 7:48 pm #208993
    drose379
    Participant

    Depends on what you are trying to do. If this is the register script, then yes, you will create the hash this way and store that in the DB. But if this is a login, no. You want to get the password that the user inputted, (POST) and then pull the hash you have stored in your database that corresponds to that user. Does this make sense?

    September 29, 2015 at 7:53 pm #208994
    cscodismith
    Participant

    Kind of yes and kind of no. I get what you mean I need to get what the user inputted

    $_POST['password'];

    and I have to pull the hashed password from the database in which I do not know how to do that. This is the login script so do I need to make any changes what so ever to the following code or is this part fine?

    $password = $_POST['password'];
    $hash = password_hash($password, PASSWORD_DEFAULT);

    September 29, 2015 at 7:54 pm #208995
    drose379
    Participant

    Yes you need to get rid of $hash, since it should be coming from the DB. This may be easier if we talk over a live chat system rather then a forum, if you’re interested.

    September 29, 2015 at 7:56 pm #208996
    cscodismith
    Participant

    That would be good – if you’d like you can come into my Teamspeak3 voice server and from there I can share with you my teamviewer to guide me through it. You can connect to my Teamspeak server with the ip: ts3.heartfx.org

    Unless Skype is more convenient for you, you can add me on Skype – My Skype name is lowheartrate

    September 29, 2015 at 7:57 pm #208997
    drose379
    Participant

    Ok, one minute

    September 29, 2015 at 7:58 pm #208998
    cscodismith
    Participant

    Alright, no problem.

    September 29, 2015 at 8:01 pm #208999
    drose379
    Participant

    Should have gotten a request from me on Skype.

    September 29, 2015 at 8:01 pm #209000
    cscodismith
    Participant

    I did and I have accepted it although it says that you’re offline at the moment.

    September 30, 2015 at 11:27 am #209015
    Anonymous
    Inactive

    In login.php

    $username = $_POST['username'];
$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_DEFAULT);

    You’re hashing the password then comparing it to an existing hash. This will (almost) always fail.

    A basic outline of registering and logging in…

    User registration

    • User enters a username and password (anything else you want to save, add to this list, but we’ll ignore this for now)
    • User clicks submit and POSTs that information to the server
    • Server receives a username and password (`$_POST[‘username’]` and `$_POST[‘password’]`)
    • Server makes sure that these comply with its rules for what a username and password should look like
    • Server checks to make sure a duplicate record doesn’t exist for the username
    • Server hashes the password (`password_hash($password)`)
    • Server safely inserts the username and hash into the database
    • Server responds telling the user everything went ok. Unless it didn’t.

    User login

    • User enters a username and password
    • User clicks submit and POSTs that information to the server
    • Server safely retrieves the hash that matches the username from the database
    • Server compares the submitted password to the hash (`password_verify($password, $hash)`)
    • If there is no matching username or if the passwords do not match, then the server responds with a message informing the user (although probably not which of these was the case)
    • If there is a match then this is a success case and the session can be set up accordingly

    Important points

    1) The hash is only created once, on registration. The hash contains everything that php needs to check a plaintext password against it using password_verify(). Do not hash anything in your login script. Compare the plaintext password to the hash saved in your database.
    2) Be aware (and plan for) your database not having a matching username. Your response should be the same for the user whether or not a matching username is found and should be the same response you provide when the passwords don’t match.

  • Author
    Posts
Viewing 12 posts - 16 through 27 (of 27 total)
1 2
  • The forum ‘Back End’ is closed to new topics and replies.