passwords - Using php.net's password_verify" script as offered works, but fails if hash is read back from DB -

php.net script: http://php.net/manual/en/function.password-hash.php and: http://php.net/manual/en/function.password-verify.php

the apparent simplicity of password verification routine appealing, after day of reading @ stackoverflow , innumerable hacks, here simple, not-at-all-secure, testing version:

<?php  $p = "bumblebee"; $hash =  (password_hash($p, password_default));  echo ($p); echo ($hash);  if (password_verify('bumblebee', $hash)) {     echo 'password valid!';     } else {     echo 'invalid password.';     }  ?>

above returns 'password valid!' (this 2 scripts php.net combined)

below not work (only diff hash written db , read back, converted string)

<?php  $username = $_request["username"]; $password = $_request["password"];  // $p = "$password"; // $hash =  (password_hash($p, password_default));      //set db access variables     require_once('./php/hs_dblogin.php');      // create connection     $conn = new mysqli($servername, $username, $password, $dbname);     // check connection     if ($conn->connect_error) {         die("connection failed: " . $conn->connect_error);     }      $password_get = mysqli_query($conn, "select passwordhash hsuser username='$username' limit 1");     $password_out = mysqli_fetch_array($password_get);     $hashasstr = $password_out[0];      echo ($hashasstr);     echo ($_request["password"]);   if (password_verify($_request["password"], $hashasstr)) {     echo 'password valid!';     } else {     echo 'invalid password.';     }  ?>  here insert db script:  // create connection     $conn = new mysqli($servername, $username, $password, $dbname); // check connection if ($conn->connect_error) { die("connection failed: " . $conn->connect_error); }   $passwordhash = password_hash('$password', password_default);   $sql = "insert `hsuser`(`firstname`, `lastname`, `username`, `passwordhash`,`hsstatus`) values ('$firstname','$lastname','$username','$passwordhash','$hsstatus')";

gave on php's password_verify , used sha1 script at: http://www.localwisdom.com/blog/2013/03/building-a-simple-registerlogin-system-in-php-using-sha256/ after clean-up, works fine

Search This Blog

Breniser

passwords - Using php.net's password_verify" script as offered works, but fails if hash is read back from DB -

Comments

Post a Comment

Popular posts from this blog

javascript - Clear button on addentry page doesn't work -

c# - Selenium Authentication Popup preventing driver close or quit -

tensorflow when input_data MNIST_data , zlib.error: Error -3 while decompressing: invalid block type -