0

I'm trying to make a login page that connects to my server and checks wether the stored (hashed, SHA256) database password is the same as the password entered on the login page. However I have not managed to get it to work.

My hashed password is created for example in this query:

"INSERT INTO accounts VALUES (0,0,'secure',1500434821,0,1,'testaccount',SHA2('testaccount:password', 256),'testaccount@gmail.com',CAST(N'2023-03-12 10:34:09' AS DateTime),NULL,NULL,NULL);"

But for my login page currently I have:

$password = trim($_POST["password"]);

mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
    if(password_verify($password, $hashed_password)) {
        echo 'login succes' .'<br>';
    } else {
        echo 'login fail' .'<br>';
    }
}

$password is the login page input and $hashed_password is the variable that holds the password stored in the database. When I put these in a if statement it does not work. The passwords that are saved in the database are SHA-256.

Tried to find functions that convert input variables into hashed versions to compare the passwords but this has not worked so far. I have echo'd the password variables and they are not equal to eachother in value.

Barmar
  • 741,623
  • 53
  • 500
  • 612
Emre Celik
  • 1
  • 4
    You can't use `password_verify()` unless you used `password_hash()` to hash the password. – Barmar Mar 31 '23 at 17:29
  • 2
    Is there any particular reason why you `trim()` the password? Are people not allowed to have spaces at the start or end of their password? I don't see how that would be a problem. – ADyson Mar 31 '23 at 18:05

1 Answers1

1

It seems that you are using the wrong function to verify your password. The password_verify() function is only compatible with hashes created by password_hash(), not by hash() with SHA256. You have two options to fix this:

  1. You can use password_hash() with the PASSWORD_DEFAULT algorithm to create your hashes, and then use password_verify() to check them. This is the recommended way, as it uses a secure and up-to-date algorithm that automatically handles salting and stretching. For example:
// Register.php
$password = trim($_POST["password"]);
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
// Insert $hashed_password into database

// Login.php
$password = trim($_POST["password"]);
mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
if(mysqli_stmt_fetch($stmt)){
    if(password_verify($password, $hashed_password)) {
        echo 'login success' .'<br>';
    } else {
        echo 'login fail' .'<br>';
    }
}
  1. You can use hash() with SHA256 and a salt to create your hashes, and then use hash_equals() to check them. This is less secure and more error-prone, as you have to manually handle salting and stretching. For example:
// Register.php
$password = trim($_POST["password"]);
$salt = createSalt(); // Your function to generate a random salt
$hashed_password = hash('sha256', $salt . $password);
// Insert $hashed_password and $salt into database

// Login.php
$password = trim($_POST["password"]);
mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password, $salt);
if(mysqli_stmt_fetch($stmt)){
    if(hash_equals($hashed_password, hash('sha256', $salt . $password))) {
        echo 'login success' .'<br>';
    } else {
        echo 'login fail' .'<br>';
    }
}
Mehdi
  • 683
  • 5
  • 16