How to verify an encrypted php password?

Asked

Viewed 44 times

-1

Good morning..

I tried to hash using php password_hash and did not succeed, it even generates the hash, but the problem is time to check the hash. Can someone help me?

Login and Create function

   public function login($email,$senha){

  $query = $this->pdo->prepare("SELECT * FROM usuarios WHERE email= :email AND senha= :senha");
  $query->bindValue(':email', $email);
  $query->bindValue(':senha', $senha);
  $execute = $query->execute();
  if($execute){

    $fetch = $query->fetchAll(PDO::FETCH_OBJ);
    if(count($fetch)>0){

       $q = $this->pdo->prepare("SELECT * FROM usuarios WHERE email= :email AND senha= :senha");
       $q->bindValue(':email', $email);
       $q->bindValue(':senha', $senha);
       $q->execute();
       $fetch = $q->fetch(PDO::FETCH_OBJ);


       $_SESSION['USER'] = (array)$fetch;

       return true;

    }else{
      return false;
    }

  }else{
    return false;
  }

}

public Function create($email,$password,$Whatsapp,$name){

 $query = $this->pdo->prepare("INSERT INTO usuarios (nome,email,whatsapp,senha) VALUES (:nome,:email,:whatsapp,:senha) ");
 $query->bindValue(':nome', $nome);
 $query->bindValue(':email', $email);
 $query->bindValue(':whatsapp', $whatsapp);
 $query->bindValue(':senha', $senha);

 if($query->execute()){
   return true;
 }else{
   return false;
 }

}

Here the part of creating user with hash

  if(isset($_POST['email']) && isset($_POST['whatsapp']) && isset($_POST['senha']) && isset($_POST['nome'])){



$email    = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
$senha    = password_hash($_POST['senha'], PASSWORD_DEFAULT);
$whatsapp = $_POST['whatsapp'];
$nome     = $_POST['nome'];


if(!filter_var($email, FILTER_VALIDATE_EMAIL)) {
        echo '{"erro":true,"create":0,"login":0,"msg":"Email inválido, verifique-o."}';
    exit;
}

if(!is_numeric($whatsapp)){
        echo '{"erro":true,"create":0,"login":0,"msg":"Tefone inválido, verifique o número."}';
    exit;
}
    
if ($nome === '') {
        echo '{"erro":true,"create":0,"login":0,"msg":"Por favor, Preencha o nome."}';
    exit;
}

if ($whatsapp === '') {
        echo '{"erro":true,"create":0,"login":0,"msg":"Por favor, Preencha o telefone."}';
    exit;
}

if ($email === '') {
        echo '{"erro":true,"create":0,"login":0,"msg":"Por favor, Preencha o email."}';
    exit;
}

if ($senha === '') {
        echo '{"erro":true,"create":0,"login":0,"msg":"Por favor, Preencha a senha."}';
    exit;
}

$verify = $clientes->verify_email($email);

if ($verify > 0) {
        echo '{"erro":true,"create":0,"login":0,"msg":"Este endereço de e-mail já está sendo usado por outro usuário."}';
    exit;
}

  $create = $clientes->create($email,$senha,$whatsapp,$nome);

  if($create){
    $login = $clientes->login($email,$senha);
    if($login){
      echo '{"erro":false,"create":1,"login":1,"msg":"logado"}';
    }else{
      echo '{"erro":true,"create":1,"login":0,"msg":"Sua conta foi criada, faça login"}';
    }
  }else{
    echo '{"erro":true,"create":0,"login":0,"msg":"Erro temporario, tente mais tarde, ou entre em contato com o suporte"}';
  }

}

Here the login part

  if(isset($_POST['email'])){

$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
$senha = $_POST['senha'];

$login = $clientes->login($email,$senha);

if($login){

  if(isset($_SESSION['checkout'])){
    echo '3';
  }else{
    echo '1';
  }

}else{
  echo '0';
}

}

NOTE: The checking part didn’t put pq there every way I tried the login error.

1 answer

1

Just look at the documentation, at https://www.php.net/manual/en/function.password-verify.php:

password_verify ( string $password , string $hash ) : bool
Verifies that the Given hash Matches the Given password.


Your $query = $this->pdo->prepare("SELECT * FROM usuarios WHERE email= :email AND senha= :senha") will never work for obvious reasons.

The senha= :senha it will never work. In fact, it might work, but it won’t be using the password_verify. For it to work without the password_verify would need, anyway, to get the exact same salt used and use the password_hash with the same salt and algorithm. So forget it, and assume that "it won’t work" because there’s a better way.


To use the password_verify you need to pick up the user by email and then use the password comparison, using password_verify.

In summary imagine the following:

$db = SELECT kdf_da_senha FROM tabela WHERE usuario = [email protected];
$form = $_POST;

if $db[kdf_da_senha] == $form["senha"] {
  // Senha correta
}

Basically, that’s what you’re gonna do:

public function login($email,$senha){

  // Busca pelo e-mail
  $query = $this->pdo->prepare("SELECT * FROM usuarios WHERE email= :email");
  $query->bindValue(':email', $email);
  $execute = $query->execute();
  if(!$execute){
     return false;
  }

  // Pega a senha (...)
  $result = $sth->fetch(PDO::FETCH_ASSOC);
  if(!is_array($result)){
     return false;
  }

  // Compara a senha
  if(!password_verify($senha, $result["senha"])) {
    return false;
  }

  // Se tudo der certo, set a $result:
  $_SESSION['USER'] = $result;
  return true;
}

The idea is the same as mentioned. First, take the information based on the email, then compares the database password (which was created with the password_hash) with the password the user offered.


Note that this code assumes that the email is unique. If it is not unique (there may be duplicity), you will have to loop each password and compare it (using the password_verify for each record with the same email).

  • PS: The code is not tested and may contain some error. I have no way to test, since I no longer use PHP, and I do not have it installed.

  • Thank you, I tested the code, there was error in rowCount. I removed and authenticated, there is some problem to remove Count?

  • Seeing the documentation, the rowCount PDO is not equal to numRows Mysqli, there are no guarantees that always works on SELECT in all databases. There is no problem in removing it, however, it is important to know if there is any record or not. I changed the code to if(!is_array($result)){ return false; }, hoping to work, but it’s a kick.

  • perfect. Thank you very much

  • Looks like they closed the question, I can’t get the best answer

Browser other questions tagged

You are not signed in. Login or sign up in order to post.