Confirmation email with password_hash

Asked

Viewed 55 times

-1

When registering on the site, the user receives an email activation of the registration, until then all right. The problem is in checking the password_hash, I know you have password_verify, but in this case it seems that it is not possible to use it. The $key variable takes the encrypted user id using password_hash. 

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>Email de confirmação</title>
    </head>
    <body>
        <?php
        $key = filter_input(INPUT_GET, 'key', FILTER_SANITIZE_SPECIAL_CHARS);
        $verify = $conexao->prepare("select * from user where password_hash(id) = '$key'");
        $verify->execute();
        if($verify){
            $id = $verify->fetch(PDO::FETCH_OBJ);
            $confirm = $conexao->prepare("update user set confirm = 1 where id = :id");
            $confirm->bindValue(':id', $id->id, PDO::PARAM_INT);
            $confirm->execute();
            echo 'Cadastro ativado com sucesso!';
        }else{
            echo 'Erro ao ativar cadastro';
        }
        ?>
    </body>
</html>

As shown above, I tried to verify the user id in the database, thus:

$verify = $conexao->prepare("select * from user where password_hash(id) = '$key'");

And that way too:

$verify = $conexao->prepare("select * from user where password_hash(id, PASSWORD_DEFAULT) = '$key'");

But as expected gave error: 'Syntax error or access Violation: 1305 FUNCTION password_hash does not exist', vi que dá para fazer assim com o MD5. You can do something like this with password_hash?

php mysql cryptography
  • 1

    The error is in your Query, password_hash is a PHP function, so it is giving the syntax error. Do the following, take the email to which the activation message was sent, from which you take the $id registered and uses the password_verify with the $key

  • password_hash is a PHP function. It won’t work even within a query. Maybe this https://answall.com/a/147319/4751 will help you.

  • For it is Leandro, but if I do as MD5, so for example: $Verify = $connected->prepare("select * from user Where MD5(id) = '$key'"); Works normal. wanted to know if you have any function for password_hash to work inside a query, if not I do with MD5 even.

1 answer

-1

The error is in your Query. using MD5(id) works because mysql has this function implemented. You can do the following: encrypt the value of the user id and then compare the generated hash to the saved in the bank:

    $key = password_hash(filter_input(INPUT_GET, 'key', FILTER_SANITIZE_SPECIAL_CHARS));
    $verify = $conexao->prepare("select * from user where id = '$key'");
    $verify->execute();

OBS: this imagining that the value of GET "key" is not a hash in fact, because if it is, it is not necessary to generate again (because it would be different)

  • It’s a good idea, but on my site will give problem, if I encrypt the id, I’ll have to make changes on a lot of pages of my site, which are pulling the user id, because the GET of the url of the pages that take the user id only take INT value and the value generated by password_hash has letters as well.

  • I’m going to use MD5 anyway, since mysql does not have any keyed function for password_hash.

  • Just a quick addendum, since you are using prepare, use the placeholder to protect your sql. $connection->prepare("select * from user Where id = :id'");

Browser other questions tagged php mysql cryptography

You are not signed in. Login or sign up in order to post.