#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2013
    Posts
    87
    Rep Power
    2

    Trying to verify with password_verify hash in db fail


    I am really, really, really sorry if this is an easy fix, but I have been pounding my head up against the wall for hours now. I have searched google and devshed to see if I can find a solution, but cannot. I am having a problem with verifying a hashed password coming from the database with the string password coming from login form. Please look for the comments that I am adding in the code for debug steps that I have taken so far. Also I am running php 5.5.1 on xampp. Here is my code

    PHP Code:

    function login($db$un$pw){

    $admin_id get_id_from_username($db$un);

    //this line when echoed returns the correct hash that is in db
    $hash hashed_password($db$un);

    //this line when echoed returns 1
    $password password_verify($pw$hash);

    //this is the string password coming from login form
    //and is correct as far as password that I used
    echo $pw;

    $sql "SELECT COUNT(admin_id) FROM admin WHERE email = :un AND password = :pw";
        
    $q $db->prepare($sql);

        if(
    $q->execute(array(':un' => $un':pw' => $password))){
        
            if(
    $q->fetchColumn() == 1){
                
                return 
    $admin_id;
                
            }else{
                
                return 
    FALSE;
                
            }
        
        }
        

    Just in case anyone asks here is the password_hash code:

    PHP Code:

    $options 
    = array('cost' => 11); 

    $hashed_password password_hash($pwPASSWORD_BCRYPT$options); 
    Last edited by natturefrk; January 5th, 2014 at 09:20 PM.
  2. #2
  3. Known to taste like chicken
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Location
    In front of my computer
    Posts
    399
    Rep Power
    312
    You are setting pw to $password which is returning 1 when echoed, so at a glance that's probably not what you're after.
    "Take thy beak from out my heart, and take thy form from off my door" - Homer J Simpson / Edgar Allan Poe

    Looking for a project Idea?
  4. #3
  5. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,141
    Rep Power
    9398
    And is it just me or are you creating the password hash by hashing the username?
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2013
    Posts
    87
    Rep Power
    2
    Originally Posted by sir_drinxalot
    You are setting pw to $password which is returning 1 when echoed, so at a glance that's probably not what you're after.
    huh? I am trying to verify the bcrytp hash that is in the db that was created by password_hash(). I read all over that password_verify is the way to do it. If I am wrong then what is the right way?

    Originally Posted by requinix
    And is it just me or are you creating the password hash by hashing the username?
    No what you are seeing is me setting the $hash variable to the return value of another function which is called hashed_password().
  8. #5
  9. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,141
    Rep Power
    9398
    Originally Posted by natturefrk
    No what you are seeing is me setting the $hash variable to the return value of another function which is called hashed_password().
    And the information you give to that function is the username. How could it possibly give you a hash of the password when you don't even tell it what the password is?
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2013
    Posts
    87
    Rep Power
    2
    Originally Posted by requinix
    And the information you give to that function is the username. How could it possibly give you a hash of the password when you don't even tell it what the password is?
    Yes, the username is for the WHERE clause in my query. To clarify everything here is the function in question:

    PHP Code:

    function hashed_password($db$un){
        
        
    $sql "SELECT password FROM admin WHERE email = :un";
        
        
    $q $db->prepare($sql);
        
        if(
    $q->execute(array(':un' => $un))){
            
            while(
    $row $q->fetch(PDO::FETCH_ASSOC)){
                
                
    $hashed_password $row['password'];
                
                
                
            }
            
                    
    //this is the password
            
    return $hashed_password;
        
        }

    I did say in the OP that the $hash = blah; matches the hash in the database. I thought when a function returns 1 that means true?
    Last edited by natturefrk; January 6th, 2014 at 01:21 AM.
  12. #7
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    This part is correct. I guess requinix assumed that "hashed_password" means "hash this password" rather than "get me the hashed password". You should indeed choose a better name (like "retrieve_hash").

    After that, things are going downhills.

    The password_verify() function does exactly what it says: It verifies a password using a given hash. It's a yes/no function. If the password is correct, it returns true, otherwise it returns false.

    What you do, however, is take this boolean and go through the user table again to find a user with this boolean as a password. Um, what?

    I think there's a fundamental misunderstanding regarding the workflow of a login:

    • When a user registers, they enter their user name and a password. This password gets hashed using password_hash(). The returned hash is stored together with the user name.
    • When a user wants to log in, they again tell you their user name and a password. You retrieve the hash stored for the user name. And then you verify the submitted password using password_verify() and the hash.

    Please make sure you get this right. All the fancy hashes won't help you if you screw up the login logic.

    Comments on this post

    • natturefrk agrees : Thanks for the point out and being patient oh wise one
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2013
    Posts
    87
    Rep Power
    2
    This is getting very frustrating as far as posting easy fixes. Figured I would learn by now lol, right? I should of done more research on password_verify. I am really sorry for that. Thanks for the help everyone and I will try to use better names for my functions. Yeah I did not figure on password_verify() returning true or false, which is what caused the newb error in the first place. Please know that I use this forum as a last resort. I try not post if I can help it.

    Here is the fixed code for people in the future:

    PHP Code:

    function login($db$un$pw){

    $admin_id get_id_from_username($db$un);

    $hash hashed_password($db$un);

    $password password_verify($pw$hash);

        if(
    $password === TRUE){
                
            return 
    $admin_id;
                
        }else{
                
            return 
    FALSE;
                
        }
        

    Last edited by natturefrk; January 6th, 2014 at 01:44 AM.

IMN logo majestic logo threadwatch logo seochat tools logo