Password hashing |
Hi guys,
after reading the documentation ( http://www.codeigniter.com/user_guide/ge...d-handling ) about security in password, i've changed my signup form to this: Code: $data = array( I can see my password saved in the DB with different characters which is "hash". Now when i want to login the password is not valid. How am i getting the password in login page is: Code: $this->user->login_access(array( Note: My code in without hashing is working I believe i need to do something to change the standard chars to hash then check with DB. I'm stuck in this part. Any idea?
You need to hash their supplied password (retrieved via post) and compare it against the hashed password in the db.
08-12-2015, 08:25 AM
(This post was last modified: 08-12-2015, 08:25 AM by mariek. Edit Reason: typo )
If you use password_hash, you can use password_verify, this is the recommended method on php.net
http://php.net/manual/en/function.password-verify.php (08-12-2015, 07:51 AM)CroNiX Wrote: You need to hash their supplied password (retrieved via post) and compare it against the hashed password in the db. (08-12-2015, 08:25 AM)mariek Wrote: If you use password_hash, you can use password_verify, this is the recommended method on php.net s/can/must/ password_verify() is the only way.
I've read the password_verify(). i can see the example there like this:
Code: $hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq'; now I'm trying to login like this code: (but i don't know whats my problem that its not working!) Code: $username = $this->input->post('username'); and my login_access() is: Code: function login_access($cond = array())
You must retrieve the password in the database by username, then use password_verify to compare two passwords.
PHP Code: // code to login
@ardavan
Your code is wrong. Place the following code within a page, reload it several times and you will find out why. Code: echo '<br />'; (08-13-2015, 06:04 AM)ivantcholakov Wrote: @ardavan @ivantcholakov wait wait... You said every time the hash will change...! I think totally i got wrongly because I've saved the hashed password after register inside the DB. correct me if I'm wrong : So I've to save the standard chars inside the DB AND i should use password_hash() & password_verify() for login. (08-13-2015, 07:11 AM)ardavan Wrote:(08-13-2015, 06:04 AM)ivantcholakov Wrote: @ardavan These two functions have different purposes and you're mixing them. - Use password_hash() when you store a new password (creating new user, changing an old password) - Use only password_verify() for login.
@Narf
Thanks for useful explaining. With your explaining and other friends, I've change my code: PHP Code: $username = $this->input->post('username'); And the result is Code: string(45) "$2y$10$B7uJAngw0wtDtncMpsOfvetyFCg//VqdnqjdEZ" bool(false) My entry password is "zz" which is during registering changed to hash and then saved in the DB. My password in the db is Code: $2y$10$B7uJAngw0wtDtncMpsOfvetyFCg//VqdnqjdEZ My get_one_by() function is in my model: PHP Code: function get_one_by($cond = array()) the password_verify() always is FALSE ! |
Welcome Guest, Not a member yet? Register Sign In |