When the user signs up the php 5.5 password hashing api is used where the salt is part of the hashed password and does no have to be stored separately. When a user logs in you compare the password they entered ($password) to the hashed password stored in the database ($hash). Therefore you compare them using:
<?php
if (password_verify($password, $hash)) {
// Success!
}
else {
// Invalid credentials
}
The problem with this is that you can't hash the password and then see if both the email and password exist in the database using code like:
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
I was considering fetching the password for a set email and setting it the value of $hash and then running the first piece of code, but I believe that it would be open to hacking via sel injection. So how would I check if a email and password are correct in order to validate a login? Thanks :)
