Harmjan Lever Harmjan Lever - 5 months ago 15
SQL Question

how to retrieve hashed password for login php

i am trying to build my first login system, i am a beginner.

i want to retrieve a password from my database and use this code to check the login.

if (password_verify($password, $hash)) {
echo 'Password is valid!';
}


the password in the database is hashed using

$hash = password_hash($_POST['password'], PASSWORD_DEFAULT)."\n";


i know i should use sql

SELECT password FROM $tbl_name WHERE email='$email'


how do i connect $hash to my sql?

Answer

Okay so basically to explain how password_verify works:

The first parameter is a non-hashed password, from the user's input. The second parameter is the hashed password that you extract from the database.

Following, is the structure that I use for database extraction. It's OOP and uses correct coding conventions that you should try and learn before learning "procedural" style PHP, as this is the better way of coding.

class DatabaseConnect{

    protected
        $host, $user, $pass, $dbname, $con;

    public function __construct(){

        // Replace these with your database information. dbname is the name of the actual database, not the table.

        $this->host = "localhost";
        $this->user = "root";
        $this->pass = "";
        $this->dbname = "test";
    }

    public function dbConnect(){
        try{
            $this->con = new PDO("mysql:host=$this->host;dbname=$this->dbname", $this->user, $this->pass);
            $this->con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        }catch(Exception $ex){
            echo $ex->getMessage();
        }
    }

    public function dbDisconnect(){
        $this->con = null;
    }
}

class Database extends DatabaseConnect{

    public function __construct(){
        parent::__construct();
    }

    public function getPassword($username){

        $sql = "SELECT password FROM users WHERE username = ?;";

        $this->dbConnect();

        $stmt = $this->con->prepare($sql);
        $stmt->bindParam(1, $username); // This is the username that was passed to the method
        $stmt->execute();
        $stmt->setFetchMode(PDO::FETCH_ASSOC);

        $results = $stmt->fetchAll();

        $this->dbDisconnect();

        return $results[0]["password"];
    }
}

// This is the code that uses the above classes. The classes can be kept in a separate file (and should be).
$database = new Database();
$passFromDatabase = $database->getPassword("pseud");
$passFromInput = $_POST["password"];

if(password_verify($passFromInput, $passFromDatabase)){
    echo "Passwords match";
}

The first class contains the information / methods to connect to the database. The second class has our method to get the password from the database, with a given username, and it extends the first class.

Then, below the classes, we are using them to get the data from the database.

Typically, on StackOverflow, people will refuse to do this kind of thing (giving you a full answer that you could very well just research) but I'd rather actually help :P. Just be aware, next time, that most people will refuse to help you.

Hope I helped.