password hashing doesn't work for all special characters |
I'm trying to hash passwords using the CodeIgniter 3 library "Community Auth", and I think I've found that only certain special characters will work. The passwords are saved to the DB, but it doesn't work to login.
Here are the two methods that I use to change a password, and then the third to check for login. Model = application\models\User_model.php Method = change_password Code: $this->db->where('user_id', $user_data->user_id) Model = application\third_party\community_auth\libraries\Authentication.php Method = hash_passwd Code: public function hash_passwd($password) { Model = application\third_party\community_auth\libraries\Authentication.php Method = check_passwd Code: public function check_passwd($hash, $password) {
It should be FALSE, but don't think it will be activated with NULL.
How is it stored in your database? Does it look the same when you stored it to when you get it from the DB? (you need to start dumping it and debug it)
Ok, thanks that's a good direction to go. I checked the debug log and I do see that the listed hash matches the database record. So now I'm left with figuring out why the password_verify method isn't matching it correctly. Here's the log, and you can see the match fails:
Code: DEBUG - 2020-08-04 19:22:45 -->
Can you add a debug log function to save what the generated hash is before storing it in the database. So that you can match it against the one being stored.
I added it to my user model, and it matches on the save too:
PHP Code: protected function _change_password($password, $password2, $user_id, $recovery_code) { Code: DEBUG - 2020-08-04 20:26:36 -->
Okay... Can you add another log_message after "password stored in" that uses the built in password_verify and log a var_dump of that, too see if it validates before storing it in the database.
OK, updated the change_password method with the new log line:
PHP Code: protected function _change_password($password, $password2, $user_id, $recovery_code) { Logs show it passed: Code: DEBUG - 2020-08-04 20:47:33 -->
Okay, did you change password btw? Because it dosen't match the first one in the thread anymore.
I would then look at what password password_verify get when you try to login. So that it dosen't change it. Have you checked that it's the same before saving it as well? So that it dosen't manipulate it in any way? |
Welcome Guest, Not a member yet? Register Sign In |