Follow

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Follow
Facebook Twitter Instagram Youtube
Contact

Hashing and verifying user in login form PHP

byMR
February 23, 2022

I’ve created a simple login/registration form. The registered information is stored in a .txt file (this is for educational purposes only not real use).

I am hashing the registered input before I put it in the.txt file. When the user logs in I want to use password_verify to check the hash. If the hash is the same as the login input the user is verified and should therefore be logged in.

With the current code, even if the login is the same as what’s stored in the.txt file it jumps straight to the }else statement that says username and/or password is incorrect.

MEDevel.com: Open-source for Healthcare and Education

Collecting and validating open-source software for healthcare, education, enterprise, development, medical imaging, medical records, and digital pathology.

Visit Medevel

EDIT: If I enter username as 123 and password as 123 the textfile shows:

$2y$10$VeZB8AZmL9lAfRQ1qKBxEug8A3RrPxM9JlOAo9prw/UOWU4.XpdqC,$2y$10$kU5AvH4hTgE1cvHmTItIU.pnTsbYvKH9bLl3Bxfy4ig7QZKdVVV46,

I am new to PHP and programming in general and any help is appreciated 🙂

    // GETS FORM INPUT  
  if(isset($_POST['username']) && $_POST['password']){
    $username = $_POST['username'];
    $password = $_POST['password'];
   
    $hashName = password_hash($username,PASSWORD_DEFAULT);
    $hashPass = password_hash($password, PASSWORD_DEFAULT);
  }

// LOGIN  
   if($_POST['btn'] == 'Login'){
      userExist($username, $password, $hashName, $hashPass);     
      }

// REGISTER
    else if(($_POST['btn'] == 'Register')){
      $fh = fopen("logininfo.txt", 'a') or die("Unable to open file");

      $login = <<<_END
        $hashName,$hashPass,
        _END;
        fwrite($fh, $login) or die("Unable to write to file");
        fclose($fh);
    }

//VERIFIES USER
    function userExist($username, $password, $hashName, $hashPass){

      $accounts = file_get_contents('logininfo.txt');
      $accArray = explode(',', $accounts);

      print_r($accArray);
      if((password_verify($hashName, $accArray[0])) && (password_verify($hashPass, $accArray[1]))){
        header('Location: index.php');
      }else{
        echo "username and/or password is incorrect";
      }
    }

>Solution :

There’s too much hashing here.

When registering a user you store the unhashed user name and the password hashed with password_hash()

When logging in you use the unhashed user name to recover the hashed password for that user, then use password_verify() to compare the unhashed password the user has given you with the hashed password you stored.

password_hash() adds a random salt to the password and stores the salt and the generated hash in the resulting string. Even if you hash the same password twice you’ll get a different result each time.

byMR
Published
Add a comment

Leave a Reply

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use

Read more

Discover more from Dev solutions

Subscribe now to keep reading and get access to the full archive.

Continue reading