How to login with bcrypt

Question

I want to change my register/login pages from md5 to bcrypt. The register part is allright but I can't get the login part working good. I am trying to work with a bcrypt library;https://github.com/ircmaxell/password_compat/blob/master/lib/password.php.

The original login function(without md5) looks like this;

function login($username, $password) {
    $user_id = user_id_from_username($username);

    $username = sanitize($username);

    return (mysql_result
    (mysql_query
    ("SELECT COUNT(`user_id`) 
    FROM `users` 
    WHERE `username` = '$username' 
    AND `password` = '$password'"), 0) == 1) ? $user_id : false;
}

What I am trying to do is retrieve the database but with the original code is is not possible because of the mysql_result part. I thought for example that;

function login($username, $password) {

    $username = sanitize($username);

    $user_query = mysql_query("SELECT `password` FROM `users` WHERE `username` = '$username'");

    $row = mysql_fetch_assoc($user_query);

    $hash = $row['password'];

    password_verify($password, $hash);
}

would solve this problem, but it isn't.

Is there a solution without mysql_fetch_assoc() here or am I trying to retieve the database wrong?

Don't use the `mysql_*` functions, they are deprecated. Use `mysqli_*` or `PDO` instead. — Patrick Kostjens, May 15 '13 at 19:23
Why bcrypt instead of a more modern hashing function like sha2-512? — dtech, May 15 '13 at 19:50
If I could -1 dtech I would... Take a look at this : http://passwords12.at.ifi.uio.no/Jeremi_Gosney_Password_Cracking_HPC_Passwords12.pdf — Rixhers Ajazi, May 15 '13 at 19:51
@RixhersAjazi That presentation only gives an overview of password "cracking" (hash collision). In the last slide you see that sha2-512 is very secure. Sha2-512 is more widely supported than bcrypt. — dtech, May 15 '13 at 19:57
You sure about? Have you taken a look at PHP 5.5? So I guess using your point one would suggest JUST because "is more widely supported than" then that must mean that it is more secure, correct, more "bad ass" to use. Continuing on with that way of thinking then we could also say that mysql_ is more supported, shoot every tutorial, most questions, and a lot of people I talk to still use mysql_ so that seems like it "is more widely supported than" PDO so we should all use mysql_... No? — Rixhers Ajazi, May 15 '13 at 20:03
@RixhersAjazi Could you please provide credible resources for your arguments instead of just using strawmans and playing at the person? `mysql_*` is deprecated for good reasons like not supporting transactions and other modern features. If in fact `mysqli` and `PDO` would provide no advantages than in fact we should use `mysql_*` because of better compatibility. So please provide resources showing bcrypt is the better choise because of advantages over sha2-512. — dtech, May 15 '13 at 20:08
Don't need to provide any arguments on behalf of bcrypt, the question was on how to use password_verify to login a user. If you want to have an "e-Penis" show down lets take this to chat. Also please stop trying to push programmers into using cruddy hashing functions rather then bcrypt. — Rixhers Ajazi, May 15 '13 at 20:11
I asked a legitimate question ("Why use x instead of y") in a comment. You answer with a snide remark ("I should be able to -1 you") and provide a link which offers no explanation. When I ask for clarification you evade the point and continue further making irrelevant and false remarks. I don't think I'm the one at fault here... — dtech, May 15 '13 at 20:19
Oh and my resources were shown on the pdf I linked to, heres another : http://codahale.com/how-to-safely-store-a-password/ oh and maybe google might have some good readings on why silly hashing algo's should not be used TODAY. Have a nice day — Rixhers Ajazi, May 15 '13 at 20:21
let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/30023/discussion-between-dtech-and-rixhers-ajazi) — dtech, May 15 '13 at 20:21
@dtech Two things. One: **USE** `bcrypt`. Two: **DO NOT USE** `mysql_query`. This is not something you're going to be able to debate successfully, they're closed cases. `bcrypt` is meant *specifically* for handling password data and it does an exceptional job. It is not a general-purpose cryptographic hash like SHA2. Secondly, `mysql_query` is massively out-dated and people need to stop using it now. It is going away in future versions of PHP. Using it now means more work in the future to rip out everything you've written and re-writing it **all**. — tadman, May 15 '13 at 20:23
@tadman I never said that you should use mysql_query. See my earlier comment: "`mysql_*` is deprecated for good reasons like not supporting transactions and other modern features." — dtech, May 15 '13 at 20:31
@dtech Then you went on to say something that contradicted that. Are you even sure what you're arguing here? — tadman, May 15 '13 at 20:47
@dtech Please don’t confuse SHA-512 and sha512crypt (i.e. [sha-crypt with SHA-512](http://www.akkadia.org/drepper/SHA-crypt.txt)). The former is the plain hashing function while the latter is the Unix crypt using SHA-512. Similarly, bcrypt is Unix crypt using a Blowfish cipher variant. The SHA hashing functions were never meant and should never be used when there are better alternatives which were specifically designed for hashing passwords like crypt and its variants are. — Gumbo, May 15 '13 at 20:47

score 1 · Answer 1 · edited May 23 '17 at 12:05

You need to set up password_verify like so :

function login($username, $password) {
    $sql = "SELECT * FROM users WHERE username = :username"; // Select all info related to the USERNAME
    $loginQ = $dbh->prepare($sql); // Prepare your query
    $loginQ->bindParam(':username', $username); // Bind your variable
    $loginQ->execute(); // Execute (TRUE or FALSE)

    if ($loginQ) { // If TRUE
        if ($loginQ->rowCount() == 1) { // You should only be returning 1 row with 1 username
            $row = $loginQ->fetch(); // Fetch that row 
            $hash = $row['password']; // Use the row password and assign it to a variable 

            if (password_verify($password, $hash)) { // use passwd_compat function password_verify to check if it passes, if it does return TRUE
                return TRUE;
            }
        }
    }
}

Just from reading your code the issue I first noticed was that you are not returning a value whether it be

TRUE

or

FALSE

Also for another way to understand how to use password_verify you can also do it like so :

if (password_verify($form_password, $row['password'])) {
    $_SESSION['LoggedIn'] = TRUE;
    header("location: homepage.php");
} else {
   Echo "Wrong password or username please <a href='index.php'><b>Retry!</b></a>";
}

and the next issue I noticed is that you are using unsafe and old functions (mysql_)

To help you with the later of the issues above I made a PDO version for you to use which has many more positives then mysql_ does.

Then to set up PDO look at this answer (yes it is mine - there a lot of good answers out there so do some research) This gives your the steps from setting up the PDO instance to actually using it. Any questions just ask. More on PDO here.

OO-style PDO and regular style PHP are perfectly compatible. — tadman, May 15 '13 at 20:47
Well @Robske did this make sense to you? Do you have any questions — Rixhers Ajazi, May 17 '13 at 12:35
My apologise for my late reaction, not because I didn't want to go further with your anwers but I couldn't for a while. I have a lot of questions because I don't know much about PDO. I know now that PDO an mysqli is better than mysql and I have now a PDO connection but also some warnings like this; Warning: mysql_query(): Access denied for user 'root'@'localhost' (using password: NO) in, or other mysql related warnings. My host, databasename, username and password are allright. Can there be another reason for this warning? — Robske, May 21 '13 at 21:08
That is not a PDO issue as the warning is mysql_query, Mysql_query is not a PDO function. Search your application for something pertaining to mysql_query and replace it. That would be the first move in my opinion. — Rixhers Ajazi, May 21 '13 at 22:28

How to login with bcrypt

1 Answers1