I have hash my password, but when I login, it does not recognize

Question

Previously i have hash my password with this

$password = hash('sha256' , $salt.$password_arr[$i]);

and in config.php , i have this code to salt the password

$salt = 'jhfdkjdhfTyhdh3365@jdh69kkshhQAAAiyeg';

So my sql database display the hash code when i register a new pass into it, im happy with that, but when i login, it seems it does not recognize my password because the authentication is directly authenticate from the database data. So what can i do to make it work

Here's my code for login verification

<?php 
session_start();
include('adminconfig.php');
// username and password sent from form
$username=$_POST['userID'];
$password=$_POST['password'];

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql="SELECT * FROM admin WHERE ID='$username' and
password='$password'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($result && $count==1){
$_SESSION['userID']= $_POST['userID'];
header('location:adminprofile.php');
}
else {
header('location:adminmessage.php');
die;
}
?>
 </body>
 </html>

Answer 1

According to my understanding, you are hashing the password and inserting it into the database. So when you try to login with the actual password and check in the database, it does not match.

Here is my simple mathematical analogy.

Password entered while registering is 2. let us say when you hash it you add 3 to it. so after hashing your password is 5. 5 is inserted into the database.

Now when you login you enter password as 2. When you check the database 2 does not match 5 so you login fails.

Bottom line, after your login is validated from the form, hash the password and then check in the database and it should work.

Add the hash function between these lines:

$password=mysql_real_escape_string($password);
$password = hash($password , $salt.$password_arr[$i]);
$sql="SELECT * FROM admin WHERE ID='$username' and password='$password'";

Answer 2

Though you say you hash and salt your password, it seems you have forgotten to do this before querying the database, therefore your query will not return any results.

Side Note:

You should consider refer to the following for password hashing safety:

How do you use bcrypt for hashing passwords in PHP?

And this for preventing SQL injection attacks:

How can I prevent SQL injection in PHP?

Answer 3

In order to check that the password is correct you need to hash the password attempt in the same way that you've stored the password in the database. Since hashes are one way functions you cannot get the "real" password back out of the hash. What you can do is hash the new value the same way and see if it gets you the same output. The theory behind this is that there isn't two values that you can give as an input to the hashing function that will give you the same output value.

What you have stored in the database is hash(real_password + salt). So you would want to see if hash(attempted_password + salt)=database_value. If they match then the attempted password must have been correct and the user is authenticated.

I would also recommend reading http://www.php.net/manual/en/book.password.php since PHP does have built-in funcationality for handling hashing of passwords.