How can I compare a password of my DB with that of php

Question

How can I compare a password of my DB with that of php

Asked 4 years, 11 months ago

Viewed 45 times

0

I’m logging in to my website but when I use one query to remove the DB password it comes in a hash and my doubt and how can I hash the passoword that the user put and bought with the DB? To register the password I used the following code PASSWORD(password_inserida_pelo_utilizador) of MYSQL.

My password for the login part:

    if ($verified === "false") {
        $link = mysqli_connect($Host, $UserName, $Password, $DataBaseName);

        $query = "SELECT Password FROM Users WHERE Username = '{$username}'";
        $result = $link->query($query);

        $query_password = array();

        if (mysqli_num_rows($result) > 0) {
          $row = mysqli_fetch_array($result);
          array_push($query_password, $row);

          print_r($query_password);

        } else {
          if ($DEBUG === True) {
            echo "Error: " . $query . "<br>" . $link->error;

            $verified = "true";
            $usernameLoginErr = "Username is incorrect";
          } else {
            $verified = "true";
            $usernameLoginErr = "Username is incorrect";
          }
        }

        $link->close();
    }
  }

Note: In case there is a safer way to encrypt passwords I am always open to new options.

Why your password($query_password) is an array since the result of password_hash is a string?

– Augusto Vasques

2019/07/12 at 14:59

1 answer

Browser other questions tagged mysql php-7

You are not signed in. Login or sign up in order to post.

by Inkeliz • **20,671** points · Answer 1 · 2019-07-12T14:59:34+00:00

I would never recommend using the PASSWORD, just as I don’t recommend using any cryptographic Mysql function, almost all of them are extremely problematic (such as AES_ENCRYPT, DES_ENCRYPT, ENCRYPT...). Just to give you an idea, Mysql uses AES-ECB by default for AES_ENCRYPT, and you can see Puin.

The PASSWORD() always generates the same result, so just do:

$query = "SELECT Password FROM Users WHERE Username = '{$username}' AND Password = PASSWORD({$password})";

The best way is to use Argon2id, available in PHP 7.3. For this, use the password_hash. There are other topics in the OS about which are the best password derivation algorithms. In addition to Argon2, there are also PBKDF2, Bcrypt, Script and Lyra2. PHP supports Argon2, Bcrypt, PBKDF2.