Aniket Singh Aniket Singh - 2 years ago 82
PHP Question

how do i check for a match for password in database

Today i found a php class called CryptoLib it helps in hashing password, but now I'm confuse how will i match it with my database password

here is how the script is used, this generate a different hash every time i reload the page

$string = $_POST['password'];
echo $hash = CryptoLib::hash($string);

this above line check if hash is a matched or not

$isHashCorrect = CryptoLib::validateHash($hash, $string);
echo ($isHashCorrect ? "TRUE" : "FALSE");

this is my query

mysqli_query($connec, "SELECT * FROM users WHERE email='$email' AND password='$password'");

Now can somebody tell me how can i match the password?

for more info visit

Answer Source

You basically need to compare the supplied password with the hash that is in the database through a SELECT query and iterate over the given row, just as you would for PHP's password_verify() function.

An example of this and where you bind the result to the comparison:

$username = "";
$password = "pass";

    if ($stmt = $con->prepare("SELECT `password` FROM `table` WHERE email = ? ")) {

        $stmt -> bind_param("s", $username);

        /* Execute it */
        $stmt -> execute();

        /* Bind results */
        $stmt -> bind_result($result);

        /* Fetch the value */
        $stmt -> fetch();

        /* Close statement */
        $stmt -> close();

$isHashCorrect = CryptoLib::validateHash($result, $password);
echo ($isHashCorrect ? "TRUE" : "FALSE");

While using a prepared statement. Something you should use in order to help protect against a possible SQL injection which you are presently open to.

Also noting from my comments:

That library returns a 256 length string. Make sure your password column in your database isn't 255 but 256+, because that will fail on you silently.

You might even like to use PHP's password_hash() function instead, yet that choice is entirely yours.


This line require_once('cryptolib.php'); from their demo file might throw you an error if you're on a *NIX system. Those are case-sensitive if you're on that (instead of Windows). Their file is named CryptoLib.php and is not the same as cryptolib.php on certain platforms.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download