-1

I am trying to match and verify the password user has input via $_POST and the hashed password in database. The problem is that when I hash the input password, BCRYPT produces a new hash each time meaning no two hashes will be the same which will give me no match. How can I possibly match BCRYPT hashed passwords? Thank you for any help!

LOGIN:

$password = password_hash(htmlentities($_POST['password']), PASSWORD_BCRYPT, array(
'cost'=>14)); 

$stmt = $mcon->prepare("SELECT `password` FROM members WHERE password=:password");
$stmt->bindParam(":password", $password);
$stmt->execute();

//get_result
$data_array = $stmt->fetch(PDO::FETCH_ASSOC);
//echo passwords
echo  'Password from form: ' . $password . '<br />';
echo 'Password from DB: ' . $data_array['password'] . '<br />';
//verify password
if (password_verify($password , $data_array)) {
    echo 'success';
    exit();
}else{
    echo 'Try again m9';
    exit();
}

//if $_POST password and $hashedpassword match then start session

$stmt->close();
$mcon->close();
Aniket Shinde
  • 40
  • 6
Jellal Saleh
  • 31
  • 1
  • 6
  • Look here: https://gist.github.com/dzuelke/972386 – pid May 30 '15 at 22:20
  • @pid The thing is though, everyone uses there own salt but personally I don't think that's a very good idea, although it works with password verification, it's not what I'm looking for. Thank you for the help anyway! – Jellal Saleh May 30 '15 at 22:23
  • 2
    Are u using PHP 5.5? That version has new password_xxx functions right? password_verify() to check a login attempt and password_hash() to encode that? Maby this could help you out? http://stackoverflow.com/a/17786721/1138321 – Joey May 30 '15 at 22:37
  • You might want to remove the backticks around `password` in your SQL query. They may be the cause for your problems. SQL does not use those unless you want a literal, in which case you will always get the `password` string itself, not the database value. – pid May 30 '15 at 22:37
  • @pid Well spotted, didn't notice I did that. Thanks but unfortunately that didn't solve the problem, but probably solve a hundred other ones in the future haha. Thank you for the suggestion! – Jellal Saleh May 30 '15 at 22:50
  • 1
    possible duplicate of [How can password\_verify validate passwords without knowing salt and cost?](http://stackoverflow.com/questions/16875158/how-can-password-verify-validate-passwords-without-knowing-salt-and-cost) – chrisp May 30 '15 at 23:37

2 Answers2

1

This is not an answer but it's still useful for you. Don't filter for the password (WHERE clause) but for the username:

$stmt = $mcon->prepare("SELECT password FROM members WHERE username=:username");
$stmt->bindParam(":username", $username);
$stmt->execute();

Furthermore, don't store passwords on the DB, not even encrypted ones. Just stored the hash and salt values. Change the salt for each password by randomizing it.

If you really need to implement security you should at least read something like this, but the truth is the more you read and study the better it is, there's no limit to how much you really need to know to have a secure website, if such a thing really exists.

Maybe a framework would be better, such as Laravel or Symfony. They have plugins that take care of those details and you can't possibly hope to write anything near to those security standards.

Just to show you how unsecure your code is read about Top 10 PHP attacks on OWASP.

pid
  • 11,472
  • 6
  • 34
  • 63
  • I don't store my passwords on the DB, only the hash and salt. My registration page takes care of all the security issues so that's not really a problem if i'm honest with you. The only reason I don't use Laravel is because I feel like it's kind of cheating plus the fact that if Laravel fails, I can't change any code once an attack has started. Thank you immensely for the feedback, I will consider! – Jellal Saleh May 30 '15 at 22:46
  • Using a framework isn't "cheating", and I'm baffled as to what you're talking about with attacks/changing code. You can change a Laravel app's code just as easily as something you wrote yourself. – ceejayoz May 30 '15 at 22:54
  • @ceejayoz Haha, What I mean is that I want to fully understand what I've produced and with something pre-packed almost, I feel like although it's done, making modifications to suit my needs would take some time. I really would rather build a solid foundation then coat it myself if you know what I mean. Thank you for the feedback anyway! – Jellal Saleh May 30 '15 at 22:58
  • Do you also refuse to ride in a vehicle you didn't build yourself, or refuse to eat food you didn't grow/hunt/cook? The whole point of frameworks is to provide the extensive "solid foundation" that is nearly impossible for a single coder to produce on their own. Seriously, try something like Laravel and take advantage of the security, best practices, and ease of coding involved in dozens/hundreds/thousands of others having already done the grunt work for you. – ceejayoz May 30 '15 at 23:00
  • 1
    @jellal We understand very well what you mean and our advice is: don't. You think you can't trust FOSS (open source code) but the truth is you can't trust yourself because you can't even **estimate** how much of this topic you don't know. – pid May 30 '15 at 23:03
  • @ceejayoz But what about production wise? How does it perform? – Jellal Saleh May 30 '15 at 23:05
  • @pid I don't understand what you meant by the last part? – Jellal Saleh May 30 '15 at 23:08
  • Performance in PHP is more about accelerators like APC than raw interpreter performance, which is pretty slow compared to precompiled or JIT code (C#/JAVA). So if performance is really an issue abandon PHP. Or embrace FOSS (Laravel+APC and other accelerators). Consider that unless you have heavy algorithms performance on the web is about network latency and database queries, not actual server-side code. Some frameworks (Symfony) even cache minimized versions of your code to make it faster, so you can't beat that... google for charts and you'll see which is fastest. – pid May 30 '15 at 23:08
  • @jellal what I meant is that with security it is very important that you know not only how secure your code is but also how unsecure it is. And the real problem is that as soon as someone else knows a tiny bit more than you do, they can use that knowledge to exploit the vulnerabilities you have but don't know about. With FOSS that's far more difficult, not easier, because 100 or 1000 of developers work on the code to make it more secure. – pid May 30 '15 at 23:12
  • @JellalSaleh "How does it perform?" Just fine. – ceejayoz May 30 '15 at 23:20
  • good point, @pid . i think the best security is to not store sensible data at all. or, at least not in a centered spot, the more you split up the better. – clockw0rk Oct 01 '18 at 09:12
1

Another error in your code: the funtcion password_verify needs the hash-string as second parameter. Do not confuse this with the php-hash-datastructure. So you need to call it like this:

$password_input = $_POST['password'];
password_verify($password_input , $data_array['password']);

See http://php.net/manual/de/function.password-verify.php

An of course, the answer from PID is also right, you need to look up the user with the username instead with the password.

Meier
  • 3,858
  • 1
  • 17
  • 46
  • I did that before put it didn't work. Forgot to include it here. Thank you for the help anyway! – Jellal Saleh May 30 '15 at 23:44
  • Of course it did't not work, as it was not the only error. I have added a link to the documentation of the password_verify function, so you can look it up yourself. – Meier May 30 '15 at 23:57
  • haha, I meant I had already done that but just forgot to type it in here. Thanks again. – Jellal Saleh May 31 '15 at 00:17
  • 1
    the `password_verify` expect user input as first argument... Not a hashed value (`password_verify($_POST['password'], $data_array['password'])`) – DarkBee May 31 '15 at 00:46
  • Yes, DarkBee is also correct. password_verify is calculating the hash internally, that is what the function is for! – Meier May 31 '15 at 13:54