Wordpress password encryption changes when you login

Asked

Viewed 882 times

0

Well I developed a website on localhost with the aim of connecting to a Wordpress database. I went to search a little more about the encryption that Wordpress used and I realized that I needed the file class-phpass.php to encrypt the password and then compare it to the one the user entered. For this purpose I used the following code:

include_once ('passwordHash.php'); //Buscar o ficheiro class-phpass.php ( Nome alterado )
$hash= new PasswordHash( 8, true );

$user_login = $_POST['username']; //Buscar o Username que o utilizador inseriu no Login
$user_pass = $hash->HashPassword($_POST['password']); //Buscar a password e encripta-la

include_once('DataAccess.php');
$db = new DataAccess();
$stored_hash = $db->getPassword(); //Buscar todas as password dos utilizadores
$correta = $hash->CheckPassword( $user_pass, $stored_hash ); //Comparar as passwords

if ($correta == true){ ... } //Se existir alguém com a mesma password verifica se corresponde ao Username.

The problem with all this is that whenever the user logs in, the file passwordHash.php returns a different password encryption than the one in the database.

For example: A user’s password when registering is abc and is stored like this: $P$BbRyz9JuNQ6NWQ0.wYR82HZhqlcJXD. when the user logs in and inserts the same password it already encrypts like this: $P$Bon4zeRrOOcZMmafO09.J1U/Fs5Qgr1 and the goal is to encrypt it the same way and return it $P$BbRyz9JuNQ6NWQ0.wYR82HZhqlcJXD. so that the user can log in.

php wordpress
  • 4

    Well, as you’ve already deleted the one I reopened, I’ll just leave the comment again: I’ve explained more than once that the hash is to change anyway, and I’ve indicated the answer that has the explanation. As for your code, it doesn’t match your text. I would suggest improving the description of the problem to match the code. If you need further explanation, please follow the link: http://answall.com/a/4837/70

  • I don’t know how to make me explain better...

  • Well, let’s leave it as it is, let’s hope someone can figure it out. If you can understand that it’s normal to change, it helps. When a password is generated by Passwordhash it goes with the hash together, and Checkpassword knows how to check correctly. You have to see if your DB is correct too (size of the fields etc). As in the other question you said you migrated DB, there may be the problem.

  • 1

    What is the return of the function $db->getPassword()? You say you are searching all users' passwords, you are returning an array then? You cannot pass an array and a string to CheckPassword, you must pass 2 hashes.

  • @Marcus Aurelius Deleus Give this code here: object(mysqli_result)#4 (5) { ["current_field"]=> int(0) ["field_count"]=> int(1) ["lengths"]=> NULL ["num_rows"]=> int(14) ["type"]=> int(0) }

  • @Bacco I didn’t migrate the database. I just built, say, a new page for that database and added a few columns. Thus allowing users to register on a different page and use it only to log in and consult their devices.

  • Bruny the passwords part on DB is new? Did you leave enough space in the field? Note that the error may be in the DB reading, as @Marcoauréliodeleu commented.

  • It is in varchar 255. It has more than space.

  • Print the DB return on the screen to make sure you’re recovering right.

  • 1

    your problem is exactly in the variable $stored_hash. Instead of passing it this way to checkPassword, make sure you only get a password column value by logging in.

  • @Marcoauréliodeleu Ahhh... Now it makes sense. And how do I get the password only from the person trying to log in? I need to compare the Username to see if you have any in the database and if there is a password encryption and then I validate the password?

  • 2

    Yes. use the variable $user_login to make a SELECT of the kind SELECT * FROM wp_users WHERE campo_usuario = $user_login. Check that the query returns result. If so, it means the user exists. Get the whole row of the record (containing all columns). In next, encrypt the password sent via POST and then compare the two by checkPassword function.

  • 1

    Do not encrypt the password, pass it without encrypting to the checkpassword function. The checkpassword automatically picks up the hash of the encrypted password, and applies it to the clean password to encrypt it the same. CheckPassword( $senha_em_plaintext, $hash_que_veio_do_db )

  • He’s returning this from Function: object(mysqli_result)#3 (5) { ["current_field"]=> int(0) ["field_count"]=> int(1) ["lengths"]=> NULL ["num_rows"]=> int(1) ["type"]=> int(0) }
 but I only used the select (user_pass)
 from wp_users 
 where user_login = '$user_login'

  • @Marcoauréliodeleu Still no password encryption

Show 10 more comments

1 answer

-2

Good morning,

The solution is:

Number 1: Take only the password field of the user in question in the database, example: $sql = "SELECT user_pass FROM wp_users Where user_login = 'login_digitado_na_tela'";

Nº 2: include 'class-phpass.php'

Nº 3: instancie ele >> $hash= new Passwordhash( 8, true );

Number 4: Pass only the two strings you want to check: >> $correct = $hash->Checkpassword( $password_form_tela, $password_buscado_no_banco);

Explanation: $hash->Checkpassword( string, string);

At the end do the If.

Browser other questions tagged php wordpress

You are not signed in. Login or sign up in order to post.