How to use password_verify

jackh · December 1, 2016, 7:24pm

Hi all,

First post on here! Hope someone can help

On my website, I have a register form which uses password_hash to encrypt passwords. I am trying to make a login form which checks what the user enters against the encrypted password.
My setup for login: login.html is the front end and userlogin.php is the backend.
The code I currently have but doesn’t work is:
[php] //check password against encryption method
$password = $_POST[“password”];
$secretpassword = password_hash($password, PASSWORD_BCRYPT);

//check for required fields from the form
if(isset($_POST["username"], $_POST["password"])){
	if(password_verify($password, $securepassword)){
	header("Location: userlogin.html");
	exit; }
}[/php]

astonecipher · December 1, 2016, 7:33pm

jackh:

[php] //check password against encryption method
$password = $_POST[“password”];
// $secretpassword = password_hash($password, PASSWORD_BCRYPT); // no
//check for required fields from the form
if(isset($_POST["username"], $_POST["password"])){
	if(password_verify($password, $securepassword)){
	header("Location: userlogin.html");
	exit; }
}[/php]

password_verify takes in what the user entered (plain text) and what the stored hash is, not a new hash and the old hash.

jackh · December 1, 2016, 7:35pm

Thanks, astonecipher.
I’m very new to this PHP stuff, is there anything you would suggest I change?
Thanks,
Jack

astonecipher · December 1, 2016, 8:21pm

[php]
if(password_verify($password, $securepassword)){

header(“Location: userlogin.html”);

exit; }
[/php]

Why would you redirect to the login page if the password matches?

jackh · December 2, 2016, 9:43am

I thought that was to tell the code where the username and password fields were?
In the simple piece of code that works it has that header and when I login with a user that doesn’t have an encrypted password it directs them to a different page called secretpage.

benanamen · December 2, 2016, 5:06pm

You have it completely bass akwards. Why would you send someone to the secret page if they failed the login?

jackh · December 2, 2016, 7:11pm

It doesn’t take an unauthorised used to the secret page.
What I meant is:
I have a user in my database which does not have an encrypted password, it has been stored as plain text. So when I login with that unencrypted password it directs me to the secret page. If an incorrect password is entered it keeps them on the login page.
Hope this makes more sense, I’m not the best at this! 8)

benanamen · December 2, 2016, 8:41pm

You should never have a plaintext password in your DB. Simply hash the plain password and put the hash in the DB. Problem solved.

jackh · December 3, 2016, 7:59pm

Don’t worry - its part of an assignment anyway so its not real data. The only reason I have a plain password as it was the test one I entered.
But my original question was how do I include the password_verify in the code? I’ve tried but I don’t know how to get it to work.

benanamen · December 3, 2016, 8:36pm

[member=72272]astonecipher[/member] already showed you.

astonecipher · December 3, 2016, 8:59pm

There is no point in ising password_verify on a nonhashed password, it will fail every time. You use password_hash before storing the password and use password_verify to verify the hash came from password_hash.

jackh · December 4, 2016, 4:45pm

I think I’ve caused a little confusion. So when I was testing my register form it wasn’t programmed to encrypt anything. I then made it encrypt the password with password_hash. When I try to login with an account that has an encrypted password, it keeps me on the login form as it thinks the password is wrong.
I’m just trying to get some php code which compares what the user enters against the algorithm for the encryption but what I have so far doesn’t work as I’ve no idea how to do it.

benanamen · December 4, 2016, 5:05pm

It’s not complicated. Here is the example from the manual
http://php.net/manual/en/function.password-verify.php

http://php.net/manual/en/function.password-hash.php

[php]<?php
// See the password_hash() example to see where this came from.
$hash = ‘$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq’;

if (password_verify(‘rasmuslerdorf’, $hash)) {
echo ‘Password is valid!’;
} else {
echo ‘Invalid password.’;
}
?>[/php]

jackh · December 4, 2016, 5:08pm

Cheers [member=46186]Kevin Rubio[/member] !

astonecipher · December 4, 2016, 5:08pm

In a most basic sense:

create table members ( mid int(11) auto_increment primary key, username varchar(20) not null unique, pass varchar(255) not null, email varchar(120) not null unique ) engine=InnoDB;

And a very minimum insert statement,
[php]$stmt = $pdo->prepare(‘INSERT INTO members (username, pass, email) VALUES (?,?,?)’);
$stmt->execute([$username,
$email,
password_hash($pass, PASSWORD_DEFAULT),
]);
[/php]

Now to verify, you would pull that hash out from the table and and check it as Kevin shows.

jackh · December 4, 2016, 5:10pm

Thanks [member=72272]astonecipher[/member] that helps too!