dogearmy69 dogearmy69 - 1 year ago 65
PHP Question

hash password and verify it with same variable

i tried to create this register page more secure then i add this code for password

$pas_usr = mysqli_real_escape_string($koneksi, $_POST['pas_usr']);
$pas_usr = password_hash($pas_usr, PASSWORD_BCRYPT);

the result is in password column is encrypted

then in login page, when i tried to verify it it says wrong password

here's my login page :

//memulai session baru

//memanggil koneksi
include "koneksi.php";

$username = $_POST['username'];
$password = $_POST['password'];

$username = stripslashes($username);
$password = stripslashes($password);
$username = mysqli_real_escape_string($koneksi, $username);
$password = mysqli_real_escape_string($koneksi, $password);

$hash = $_POST['password'];

if(password_verify($password, $hash)){

$query = mysqli_query($koneksi, "SELECT * from user WHERE log_usr='$username' AND pas_usr='$password'");
$data = mysqli_fetch_array($query);
$id = $data["log_usr"];
$lvl = $data["sts_usr"];

if ($lvl=='A')
$link = 'index.html';
$link = 'index.php';
$_SESSION['username'] = $username;
header ("location:$link");
echo "<script>alert('Username dan Password tidak valid.'); window.location = 'index.php'</script>";
echo "<script>alert('Username dan Password tidak valid.'); window.location = 'index.php'</script>";

Answer Source

password_verify matches your plain password against hashed version of your given password while you're checking with plain password in both parameter. password_verify works like this:

password_verify($plainPassword, $hashedPassword)

// See the password_hash() example to see where this came from.
$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';

if (password_verify('rasmuslerdorf', $hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download