Check password hash on login (password_hash)

Asked

Viewed 1,051 times

2

I made all the login code, but when I went to test, it gave error in the login, using the same password I used in the registration, when I realized that the password_hash always generates a different hash. Since a different hash is always generated, how do I check this new hash with which it is saved in the bank? (I was reading that question, but it didn’t help me much. How to apply password_hash for use of SELECT, INSERT and UPDATE?).

On a test page I put:

$senha = password_hash(12345678, PASSWORD_DEFAULT);
echo $senha;
// Saiu:
// $2y$10$u5ib0cJivaTMWMceujIAjOq0G8tkjY7UTOMqOnqlWt6Rf8Vb2MLBK

On the login I put:

$senha = password_hash($senha, PASSWORD_DEFAULT);
// mesmo inserindo 12345678 saiu um resultado diferente.
// $2y$10$ZAWmkLhap3LpLH.EtKPl3uUdRV6joyP5sQND1m0HnFH8XNrehazSi

form:

    <form method="post" action="" >
        <input type="text" name="usuario" placeholder="Digite seu nome de usuário"><br>
        <input type="password" name="senha" placeholder="Digite sua senha"><br>
        <input type="submit" name="btn" value="Entrar"><br>
    </form>   

    <?php
    // caso haja post, esse if será executado
    if($_POST){
        // Aqui ele vai filtar o post, o ultimo parametro serve para tirar tags e caracteres especiais.
        $usuario = filter_input(INPUT_POST, 'usuario', FILTER_SANITIZE_STRING);
        $senha = filter_input(INPUT_POST, 'senha', FILTER_SANITIZE_STRING);
        // agora mesmo com esse var_dump está gerando um hash, sendo que eu tirei o password da função
        var_dump($senha);
        // aqui ele inclui a classe
        require_once '../PDO/metodospdo.php';
        // aqui ele chama o método Login, por ser static não precisa criar um objeto.
        MetodosPDO::login($usuario, $senha);
    }
    ?>

full function:

static function login($usuario, $senha) {
    try {
        $con = ConnectionFactory::getConnection();
        $con->beginTransaction();
        //$senha = password_hash($senha, PASSWORD_DEFAULT);
        $stmt = $con->prepare("select usuario from tbl_login where usuario = :usuario and senha = :senha");
        $stmt->bindParam('usuario', $usuario);
        $stmt->bindParam('senha', $senha);
        $stmt->execute();
        if ($stmt->fetchAll(PDO::FETCH_ASSOC)) {
            echo '<script> confirm("Bem vindo ao sistema!"); <script>';
            header("Location: menu.php");
        } else {
            echo '<script> alert("Usuário ou senha incorretos!");
                           window.location("login.php"); </script>';
        }
    } catch (PDOException $e) {
        echo $e->getMessage();
    }
}
  • So I tried for '12345678', but continued with the same thing...

  • Make a var_dump($senha); in the second code to see if the password value is correct.

  • Yes, the amount you’re entering is right..

  • Post the result, suddenly you didn’t notice anything. I assume $password comes from a $_POST.

  • I updated and put the codes.

  • try using md5 instead of password_hash

Show 1 more comment

1 answer

3


When you use password_hash you need password_verify to verify the password.

The password_verify needs the first parameter the password entered by the user and the other the hash that is in the database.

Remembering that password_verify always returns a boolean value, and then you can easily make the check.

See here in detail

  • Thanks, solved the problem here, and the code got much better.

  • You’re welcome, I’m glad you helped.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.