- This topic is empty.
-
AuthorPosts
-
September 29, 2015 at 7:43 pm #208990cscodismithParticipant
Yes but where would I start to do this and how can I verify that the plain text password matches the hashed password? Do I put it in the following lines of code in login.php file?
if (password_verify($password, $hash)) { echo "You're in!"; // Password is correct } else { echo 'Password is invalid!'; // Password is incorrect }
September 29, 2015 at 7:44 pm #208991drose379ParticipantThat looks right yes. But you need to pull the hash from the database first, would you know how to do that?
September 29, 2015 at 7:45 pm #208992cscodismithParticipantUnfortunately no I do not and just to clarify that is correct here is what is defined by $password and $hash
$password = $_POST['password']; $hash = password_hash($password, PASSWORD_DEFAULT);
September 29, 2015 at 7:48 pm #208993drose379ParticipantDepends on what you are trying to do. If this is the register script, then yes, you will create the hash this way and store that in the DB. But if this is a login, no. You want to get the password that the user inputted, (
POST
) and then pull the hash you have stored in your database that corresponds to that user. Does this make sense?September 29, 2015 at 7:53 pm #208994cscodismithParticipantKind of yes and kind of no. I get what you mean I need to get what the user inputted
$_POST['password'];
and I have to pull the hashed password from the database in which I do not know how to do that. This is the login script so do I need to make any changes what so ever to the following code or is this part fine?
$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_DEFAULT);September 29, 2015 at 7:54 pm #208995drose379ParticipantYes you need to get rid of $hash, since it should be coming from the DB. This may be easier if we talk over a live chat system rather then a forum, if you’re interested.
September 29, 2015 at 7:56 pm #208996cscodismithParticipantThat would be good – if you’d like you can come into my Teamspeak3 voice server and from there I can share with you my teamviewer to guide me through it. You can connect to my Teamspeak server with the ip: ts3.heartfx.org
Unless Skype is more convenient for you, you can add me on Skype – My Skype name is lowheartrate
September 29, 2015 at 7:57 pm #208997drose379ParticipantOk, one minute
September 29, 2015 at 7:58 pm #208998cscodismithParticipantAlright, no problem.
September 29, 2015 at 8:01 pm #208999drose379ParticipantShould have gotten a request from me on Skype.
September 29, 2015 at 8:01 pm #209000cscodismithParticipantI did and I have accepted it although it says that you’re offline at the moment.
September 30, 2015 at 11:27 am #209015AnonymousInactiveIn login.php
$username = $_POST['username']; $password = $_POST['password']; $hash = password_hash($password, PASSWORD_DEFAULT);
You’re hashing the password then comparing it to an existing hash. This will (almost) always fail.
A basic outline of registering and logging in…
User registration
- User enters a username and password (anything else you want to save, add to this list, but we’ll ignore this for now)
- User clicks submit and POSTs that information to the server
- Server receives a username and password (`$_POST[‘username’]` and `$_POST[‘password’]`)
- Server makes sure that these comply with its rules for what a username and password should look like
- Server checks to make sure a duplicate record doesn’t exist for the username
- Server hashes the password (`password_hash($password)`)
- Server safely inserts the username and hash into the database
- Server responds telling the user everything went ok. Unless it didn’t.
User login
- User enters a username and password
- User clicks submit and POSTs that information to the server
- Server safely retrieves the hash that matches the username from the database
- Server compares the submitted password to the hash (`password_verify($password, $hash)`)
- If there is no matching username or if the passwords do not match, then the server responds with a message informing the user (although probably not which of these was the case)
- If there is a match then this is a success case and the session can be set up accordingly
Important points
1) The hash is only created once, on registration. The hash contains everything that php needs to check a plaintext password against it using
password_verify()
. Do not hash anything in your login script. Compare the plaintext password to the hash saved in your database.
2) Be aware (and plan for) your database not having a matching username. Your response should be the same for the user whether or not a matching username is found and should be the same response you provide when the passwords don’t match. -
AuthorPosts
- The forum ‘Back End’ is closed to new topics and replies.