Jack Panston Jack Panston - 4 months ago 22
PHP Question

password hash and verify not work properly

Password hash not work properly in my script.

Here my integration:

register.php

$password = password_hash(md5(sha1($_POST['password']) . $salt), PASSWORD_DEFAULT);


And here how i verify it:

Login.php

$password = md5(sha1($_POST['password']) . $salt);

$check = $mysqli->query("SELECT password FROM accounts WHERE email = '$email'");
$passw_hash = $check->fetch_assoc();
if (password_verify($password, $passw_hash["password"])) {
// LOGIN SUCCESSFULLY
}


My PHP version: 5.5

Or if you have any other method to encrypt password let me know.

UPDATE

1- Modified password's column size to VARCHAR (250) from VARCHAR (60)

2- Removed all other encryptions like md5, sha1, and cleaning the code to protect password against sql injections.

Example of hashed password:

Pure TEXT:
google


Hashed:
$2y$10$0Bd5Uv09Jg50QZZ4Iz7F2.WGV3MpYkScg9vuTONWmUCMYPJ3qDukC


I insert a new member to my database with prepared statements using mysqli:

$st = $mysqli->prepare("
INSERT INTO
accounts(
username,
password,
date
) VALUES (
?,
?,
?
)");
$st->bind_param('sss', $username, $password, $date);
$st->execute();

Answer

Since you're using password_hash() you do not want to use any additional hashing, so remove the md5() and sha1() functions.

$password = password_hash($_POST['password'], PASSWORD_DEFAULT);

Furthermore, remove the functions from your login:

$password = $_POST['password'];

By adding the other functions you're destroying the elements password_hash() and password_verify() need to do their jobs. Adding the two additional hashing mechanisms also don't make the hash any more secure.

Make sure you don't escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.


In addition Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe! Don't believe it?