SacredSkull SacredSkull - 4 months ago 27
PHP Question

PHPass refuses to check hashes

include 'lib/php/PasswordHash.php';

$hash = $_GET['hash'];
$pass = $_GET['pass'];

$hasher = new PasswordHash(8, false);
$pass = $hasher->HashPassword($pass);
echo "Original:<br>" . $pass . "<br>";
$checked = $hasher->CheckPassword($pass, $hash);
echo "Hashed:<br>" . $checked . "<br>";
echo "<br>";
echo "Are they equal? <b>";
if($pass == $checked){ echo "Yep!</b>";} else{
echo "Nope. </b>";
}


The incredibly simple piece of code above does not work at all as intended. Yes, the pass variable gets hashed and outputted correctly, but CheckPassword() fails to output anything at all. I have tested just a simple word "hello" and inserted them directly into the function (e.g. CheckPassword('$2...', '$2...'); and it still outputs nothing.

I'm running on XAMPP Windows, and I've just been forced to conclude that must be the problem. I used this code rather than the actual project to remove the database as a factor, and found this issue.

Try to restrain yourselves from vomiting at the uglyness of the code, but it is a desperate attempt to get it to work.

If you are running this code yourself you'll need to place both a 'pass' and and a 'hash' GET variable in the URL to test this. Most likely I've made a terrible mistake somewhere, so I'm not confident at all blaming my environment.

EDIT:

I used the code below to generate the initial variable to use in the URL

$hash = $_GET['hash'];

$hasher = new PasswordHash(8, false);
$hash = $hasher->HashPassword($pass);

echo $hash;

Answer

You're using CheckPassword incorrectly. The first argument should be plain text; the second a hash, according to the documentation. You are setting $pass to a hashed value, then using it as the first argument in CheckPassword anyway.

Corrected code (untested):

include 'lib/php/PasswordHash.php';

$hash = $_GET['hash'];
$pass = $_GET['pass'];

$hasher = new PasswordHash(8, false);
// Just delete this line: $pass = $hasher->HashPassword($pass);
echo "Original:<br>" . $pass . "<br>";
$checked = $hasher->CheckPassword($pass, $hash);
echo "Hashed:<br>" . $checked . "<br>";
echo "<br>";
echo "Are they equal? <b>"; 
if($pass == $checked){ echo "Yep!</b>";} else{
    echo "Nope. </b>";
}

P.S. I'm not sure why you are trying to get the value of $hash from $_GET. If you let the user specify both the password and the hash, they can fool your application into granting access. I'm assuming this is just a test and that you will use a database or other secure storage in your real app.