Verifying Salt from Database

Question

Im building a login/register project in school(beginner) and I have got a little stuck. I managed to has/salt my users when they register. But when I want to verify their login info with the hashes/salt I cant manage to pull it off it seems.

My register code is:

 $localhost="host";
 $user="user";
 $password="password";
 $database="database";
 $email =$_POST['email'];
 $passwords =$_POST['passwords'];

 $conn =new mysqli($localhost, $user, $password, $database);
 $error =$conn->connect_error;
 if($error){
    $code = $conn->connect_errno;
    die("Error: ($code) $error");
  }

  $email = mysqli_real_escape_string($conn, $_POST['email']);
  $passwordFromPost = $_POST['passwords'];
  $salt = password_hash($passwordFromPost, PASSWORD_BCRYPT);
  $passwords = mysqli_real_escape_string($conn, $_POST['passwords']);


  $sql = "INSERT INTO Users (email, passwords, salt) 
  VALUES('$email','$passwords','$salt')";
  $result= $conn->query($sql);


  $conn->close();

I read a little about it on another post here and I think I should be able to decrypt the pw with $passwordCorrect = password_verify("password", $hashPassword);

but im not sure how to implement it in a php code and make it verify the user. Any tips on what I should do as next step?

score 0 · Answer 1 · edited May 23 '17 at 11:54

You're not really creating a salt, it is included as part of the hash, and you would verify the password using the password_hash() function. You never decrypt a password with this function, you just verify the hash is correct.

This line, $salt = password_hash($passwordFromPost, PASSWORD_BCRYPT); doesn't actually create a salt - it creates a password hash.

You're correct that you would use the function like this:

$passwordCorrect = password_verify("password", $hashPassword);

If password is verified $passwordCorrect will be true. If not, it will be false:

if($passwordCorrect) {
    // allow login
} else {
    // do not allow login
}

In your code you can get rid of some lines and change to this:

$email = mysqli_real_escape_string($conn, $_POST['email']);
$passwordFromPost = $_POST['passwords'];
$password = password_hash($passwordFromPost, PASSWORD_BCRYPT);

Now all you have to do is store the password and the email with no other data.

Now, query the database:

$stmt = $conn->prepare('SELECT * FROM Users WHERE email = ?');
$stmt->bind_param("s", $_POST['email']);
$result = $stmt->execute();

Now the user's password is in the result array and can be compared to $_POST['password'].

If you're using a PHP version less than 5.5 you can use the password_hash() compatibility pack. It is not necessary to escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.

In addition: Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe!

Thanks, What lines to you mean I should get rid of? – Hippimaster May 16 '17 at 10:13 — Hippimaster, May 16 '17 at 10:13
You don't need the line escaping the password @Hippimaster – Jay Blanchard May 16 '17 at 11:33 — Jay Blanchard, May 16 '17 at 11:33

score 0 · Answer 2 · answered May 15 '17 at 12:00

First use prepared statement, not real escape string in your query to get used to best practices from the beginning.

You should not store the password, only the hash of it. So change
$salt = password_hash($passwordFromPost, PASSWORD_BCRYPT);
to
$password = password_hash($passwordFromPost, PASSWORD_BCRYPT);

and only store email and hashed password. Then when checking login you select password where email = the provided email and use password_verify('password from login', 'password selected from db') the result will then be true if the password match.

Verifying Salt from Database

2 Answers2