0
Well I developed a website on localhost with the aim of connecting to a Wordpress database. I went to search a little more about the encryption that Wordpress used and I realized that I needed the file class-phpass.php
to encrypt the password and then compare it to the one the user entered. For this purpose I used the following code:
include_once ('passwordHash.php'); //Buscar o ficheiro class-phpass.php ( Nome alterado )
$hash= new PasswordHash( 8, true );
$user_login = $_POST['username']; //Buscar o Username que o utilizador inseriu no Login
$user_pass = $hash->HashPassword($_POST['password']); //Buscar a password e encripta-la
include_once('DataAccess.php');
$db = new DataAccess();
$stored_hash = $db->getPassword(); //Buscar todas as password dos utilizadores
$correta = $hash->CheckPassword( $user_pass, $stored_hash ); //Comparar as passwords
if ($correta == true){ ... } //Se existir alguém com a mesma password verifica se corresponde ao Username.
The problem with all this is that whenever the user logs in, the file passwordHash.php
returns a different password encryption than the one in the database.
For example: A user’s password when registering is abc and is stored like this: $P$BbRyz9JuNQ6NWQ0.wYR82HZhqlcJXD.
when the user logs in and inserts the same password it already encrypts like this: $P$Bon4zeRrOOcZMmafO09.J1U/Fs5Qgr1
and the goal is to encrypt it the same way and return it $P$BbRyz9JuNQ6NWQ0.wYR82HZhqlcJXD.
so that the user can log in.
Well, as you’ve already deleted the one I reopened, I’ll just leave the comment again: I’ve explained more than once that the hash is to change anyway, and I’ve indicated the answer that has the explanation. As for your code, it doesn’t match your text. I would suggest improving the description of the problem to match the code. If you need further explanation, please follow the link: http://answall.com/a/4837/70
– Bacco
I don’t know how to make me explain better...
– Bruny
Well, let’s leave it as it is, let’s hope someone can figure it out. If you can understand that it’s normal to change, it helps. When a password is generated by Passwordhash it goes with the hash together, and Checkpassword knows how to check correctly. You have to see if your DB is correct too (size of the fields etc). As in the other question you said you migrated DB, there may be the problem.
– Bacco
What is the return of the function
$db->getPassword()
? You say you are searching all users' passwords, you are returning an array then? You cannot pass an array and a string toCheckPassword
, you must pass 2 hashes.– Marco Aurélio Deleu
@Marcus Aurelius Deleus Give this code here:
object(mysqli_result)#4 (5) { ["current_field"]=> int(0) ["field_count"]=> int(1) ["lengths"]=> NULL ["num_rows"]=> int(14) ["type"]=> int(0) }
– Bruny
@Bacco I didn’t migrate the database. I just built, say, a new page for that database and added a few columns. Thus allowing users to register on a different page and use it only to log in and consult their devices.
– Bruny
Bruny the passwords part on DB is new? Did you leave enough space in the field? Note that the error may be in the DB reading, as @Marcoauréliodeleu commented.
– Bacco
It is in varchar 255. It has more than space.
– Bruny
Print the DB return on the screen to make sure you’re recovering right.
– Bacco
your problem is exactly in the variable
$stored_hash
. Instead of passing it this way to checkPassword, make sure you only get a password column value by logging in.– Marco Aurélio Deleu
@Marcoauréliodeleu Ahhh... Now it makes sense. And how do I get the password only from the person trying to log in? I need to compare the Username to see if you have any in the database and if there is a password encryption and then I validate the password?
– Bruny
Yes. use the variable
$user_login
to make aSELECT
of the kindSELECT * FROM wp_users WHERE campo_usuario = $user_login
. Check that the query returns result. If so, it means the user exists. Get the whole row of the record (containing all columns). In next, encrypt the password sent via POST and then compare the two by checkPassword function.– Marco Aurélio Deleu
Do not encrypt the password, pass it without encrypting to the checkpassword function. The checkpassword automatically picks up the hash of the encrypted password, and applies it to the clean password to encrypt it the same.
CheckPassword( $senha_em_plaintext, $hash_que_veio_do_db )
– Bacco
He’s returning this from Function:
object(mysqli_result)#3 (5) { ["current_field"]=> int(0) ["field_count"]=> int(1) ["lengths"]=> NULL ["num_rows"]=> int(1) ["type"]=> int(0) }

but I only used theselect (user_pass)
 from wp_users 
 where user_login = '$user_login'
– Bruny
@Marcoauréliodeleu Still no password encryption
– Bruny