Login if hashed password from database is matched with input password

Question

I have made a simple login system. Whenever user login password is hashed with password_hash() algorithm and sent to database. But the login page doesnot match the input password with database hashed password by dehashing.

For example :

Username = john & Password = doe

In above example "doe" is hashed and sent to database and the login page does not login user with the password "doe",user can login with the hashed password directly.

My code is shown below :

signup.php

<?php 
date_default_timezone_set('Asia/Kathmandu');
$time = date("h:i:s");
$date = date("Y-d-m");

$con = mysqli_connect("localhost", "root", "", "classic") or DIE("Error!");
if(isset($_POST['submit'])){
    $fname=mysqli_real_escape_string($con, $_POST['fname']);
    $lname=mysqli_real_escape_string($con,$_POST['lname']);
    $uname=mysqli_real_escape_string($con,$_POST['uname']);
    $psw=mysqli_real_escape_string($con,$_POST['psw']);
    $email=mysqli_real_escape_string($con,$_POST['email']);
  $dob=mysqli_real_escape_string($con,$_POST['dob']);
  $pswhash = password_hash("$psw", PASSWORD_DEFAULT);

$unique_email = "SELECT * FROM `users` where email='$email'";
    $unique_emailresult = mysqli_query($con, $unique_email);
        if(mysqli_num_rows($unique_emailresult)>0)
       {
           echo "Email already exist, try different Email.";
           header("refresh:2; url=http:../signup");

       }
       else{
$unique_user = "SELECT * FROM `users` where username='$uname'";
    $unique_userresult = mysqli_query($con, $unique_user);
        if(mysqli_num_rows($unique_userresult)>0)
       {
           echo "Username already exist, try different username.";
           header("refresh:2; url=http:../signup");

       }
       else{
        $sql= "INSERT INTO users (firstname, lastname, username, password, email, dob, joindate, jointime) VALUES ('$fname','$lname','$uname','$pswhash','$email', '$dob', '$date', '$time')";
        $result=mysqli_query($con, $sql);
           if(!$result)
         {
        die("Error:");
         }
         echo"New account created successfully, Please Login.";
         header("refresh:2; url=http:../login.php");

}
}
}
else{
           header("refresh:0; url=http:../login.php");

}
?>

login.php

<?php 
session_start();
if(isset($_SESSION['user'])){
  header("location:index.php");
}

include_once('Db/dbconnect.php');
#user verification starts
if(isset($_POST['login'])){
    $uname = mysqli_real_escape_string($con, $_POST['uname']);
  $email = mysqli_real_escape_string($con, $_POST['uname']);
    $psw = mysqli_real_escape_string($con, $_POST['psw']);



    $sql="SELECT * FROM users WHERE (username='$uname' OR email='$uname') AND password='$psw'";
        $result=  mysqli_query($con,$sql) or die(mysqli_errno());
        $trws= mysqli_num_rows($result);
        if($trws==1){
            $rws=  mysqli_fetch_array($result);
            $_SESSION['user']=1;
            $_SESSION['username']=$rws['username'];
            $_SESSION['password']=$rws['password'];
            header("location:index.php?username=$uname&request=login&status=success");
      }
      else{
        echo"Username and password does not matched";
      }

       }  
  ?>

On the login page, When you try to login with a correct username and password what happens? — , Jul 29 '18 at 03:31
Are you using `password_verify()` http://php.net/manual/en/function.password-verify.php to verify the hash? — , Jul 29 '18 at 03:32
If i try to login with the correct username and hashed password as same as the username and password of database, login successful and redirect to index page. — 0x4e, Jul 29 '18 at 03:47
You mean that you copy the hashed password from the DB let's say `hGDGyd6757whgvYTtd476diuGIGB23iu2UG` and paste it in the password input? — , Jul 29 '18 at 04:07
Of course that would work, As your query contains `password='$psw'`, But what about the other users? How would they get the hashed password? — , Jul 29 '18 at 04:13
You have two options, 1- Hash the login password as mentioned in the answers. 2- Fetch the hashed password from the DB and use `password_verify()` to verify the the hashed password with the login password — , Jul 29 '18 at 04:15
I tried to fetch and match with input password but i failed. — 0x4e, Jul 29 '18 at 04:50
can you give me a code that select hashed password from database and match with input password. — 0x4e, Jul 29 '18 at 04:52

score 4 · Answer 1 · answered Jul 29 '18 at 03:37

4

when you hash the password the first time (when the user registers), you store resulting hash in the database.

$hash_pass = password_hash($_POST['password'], PASSWORD_DEFAULT);    
$sql = "INSERT INTO users (id, full_name, email, password, username, sign_up_date, activated) VALUES ('', '$full_name', '$email', '$hash_pass', '$username', '$date', '1')";

The second time (when they try to log in again), you tries to login you simply get the hash from the database WHERE email = '{$_POST['email']} and then use the password_verify function:

if (!password_verify($_POST['login_password'], $hash_from_database)) { exit; }

answered Jul 29 '18 at 03:37

Maryam

365
2
15

That's the point! I m not being able to dehash the password of database with input password. – 0x4e Jul 29 '18 at 03:49
@Classic You don't need to "dehash" the password (it isn't possible anyway). You just use `password_verify()` on PHP side with the password entered by the user and the hash stored in the database. – Progman Jul 29 '18 at 16:57

Harsh Virani · Answer 2 · 2018-07-29T16:46:10.793

3

Below is password_verify() function this is what you are finding, just pass first variable which is user have entered to login and second one is hashed password you have stored at time of registration, this function will give you bool response.

$check = password_verify( $password, $hashedPasswordFromDatabase );

You can check more details of this function from below link. http://php.net/manual/en/function.password-verify.php

edited Jul 29 '18 at 16:46

answered Jul 29 '18 at 03:57

Harsh Virani

367
3
8

It does not work because password_hash() generates different hash every time so this way it does not work.... any idea please help me? – 0x4e Jul 29 '18 at 04:53
I have updated my answer please have a look at this. – Harsh Virani Jul 29 '18 at 16:46
I tried to do same thing but i'm having trouble...please try with my code...Edit my code and give me solution please.... – 0x4e Jul 30 '18 at 01:51

score 2 · Answer 3 · answered Jul 29 '18 at 04:58

To fetch and match the saved hashed password and the user login password:

Replace that part in the login file:

 $sql="SELECT * FROM users WHERE (username='$uname' OR email='$uname') AND password='$psw'";
 $result=  mysqli_query($con,$sql) or die(mysqli_errno());
  $trws= mysqli_num_rows($result);
  if($trws==1){
      $rws=  mysqli_fetch_array($result);
      $_SESSION['user']=1;
      $_SESSION['username']=$rws['username'];
      $_SESSION['password']=$rws['password'];
      header("location:index.php?username=$uname&request=login&status=success");
  }
  else{
    echo"Username and password does not matched";
  }

With:

//Select user data based on email/username.
$sql="SELECT * FROM users WHERE (username='$uname' OR email='$uname')";
$result=  mysqli_query($con,$sql) or die(mysqli_errno());
$trws= mysqli_num_rows($result);
if($trws==1){
    $rws=  mysqli_fetch_array($result);
    //Verify the hashed password and the username login password.
    if( password_verify($psw, $rws['password']) ){
        $_SESSION['user']=1;
        $_SESSION['username']=$rws['username'];
        $_SESSION['password']=$rws['password'];
        header("location:index.php?username=$uname&request=login&status=success");    
    }
}
else{
    echo"Username and password does not matched";
}

Login if hashed password from database is matched with input password

3 Answers3