Can't login using decrypted password (PHP)

Question

I try to login into my application using my account from database that the password are encrypted (but i don't know what's encrypt method, is it using md5 or sha256 IDK).

Here is my encrypted password " $2y$10$lMw3VSF7dQlIlnCjvWtrE.smQEslGBPFbvLxy0ROo1kPVzmmlj2ui " the password is 1234 if it's not using encrypted method.

The problem is when i try to login using 1234 it's just can't login, but when i input $2y$10$lMw3VSF7dQlIlnCjvWtrE.smQEslGBPFbvLxy0ROo1kPVzmmlj2ui the system is redirecting me to index.php (login is success)

Here is my code :

<div class="container-fluid">
    <div class="row">
        <div class="col-lg-4 offset-lg-4 mt-5">
            <div class="card shadow">
                <div class="card-body">
                    
                    <center><img src="aset/login.jpg" style="max-width:300px;max-height:300px;" class=""></center>
                    <h4 class="text-center">LogIn CPPT</h4>
                    <hr>
                    <form method="post" action="">
                        <label>Username</label>
                        <input type="text" class="form-control" name="Username" autocomplete="off" required>
                        <label>Password</label>
                        <input type="password" class="form-control mb-3" name="Password" autocomplete="off" required>
                        <center><a href="https://api.whatsapp.com/send?phone=6281290231840&text=Permisi,%20Saya%20lupa%20password%20aplikasi%20CPPT%20saya,%20mohon%20dikirimkan%20password%20baru.%20Terimakasih." target="_blank" class="mt-3">Lupa kata sandi?</a></center>
                        <marquee class="text-danger"><b>RSU Amanah Sumpiuh, Banyumas, Jawa Tengah - Aplikasi Catatan Perkembangan Pasien Terintegrasi</b></marquee>
                        <button class="btn btn-success mt-3 float-end" name="LOGIN" type="submit"><i class="fa fa-arrow-circle-right" aria-hidden="true"></i> Masuk</button>
                    </form>
                </div>
            </div>
        </div>
    </div>
</div>

    <?php
if (isset($_POST['LOGIN'])) {
    $Username = $_POST['Username'];
    $Password = $_POST['Password'];
    $sql = mysqli_query($connection4, "SELECT * FROM RSUPengguna WHERE Username = '$Username' and Password = '$Password'");

    $tiliki = mysqli_num_rows($sql);
    if ($tiliki > 0) {
        $_SESSION['Username'] = $_POST['Username'];
        echo "<meta http-equiv=refresh content=0;URL='index.php'>";
    } else {
        echo "<script type='text/javascript'>alert('Username atau Password Tidak Benar!');</script>";
        echo "<meta http-equiv=refresh content=2;URL='login.php'>";
    }
}
?>

Anyone can solve this problem?

You say the password is `encrypted`? What type of encryption? How / when is it encrypted? Do you mean `hashed` instead? — Professor Abronsius, Apr 26 '23 at 06:05

score 3 · Answer 1 · answered Apr 26 '23 at 06:22

Judging by the initial characters ( ie:$2y$10$ ) that password is not encrypted but most likely hashed using password_hash. If that is the case your SQL never contains the password itself - you return the password in the SQL and compare that stored hash to the posted password value using password_verify

The following should be of interest if the password is, as suspected, hashed rather than encrypted.

<?php
    
    session_start();
    
    # It is important to have ALL these parameters in POST 
    # request so only proceed if they are!
    if( $_SERVER['REQUEST_METHOD']=='POST' && isset(
        $_POST['Username'],
        $_POST['Password']
    )){
        # create the sql that selects the password from db table based upon username
        # - use a prepared statement to mitigate sql injection
        $sql='select `password` from `RSUPengguna` where `username`=?';
        
        # create the prepared statement
        $stmt=$connection4->prepare( $sql );
        
        # bind the POSTed username to the placeholder in the sql statement
        $stmt->bind_param('s',$_POST['Username']);
        
        # Run the query and assign result to a variable
        $stmt->execute();
        $stmt->bind_result( $hash );
        $stmt->fetch();
        
        # validate the password matches the stored hash
        if( password_verify( $_POST['Password'], $hash ) ){
            $_SESSION['Username'] = $_POST['Username'];
            exit( header('Location: index.php') );
        }else{
            // failed - let PHP do the redirect, remove Javascript from here.
            exit( header('Location: login.php?error=bad-login-details') );
        }
    }

?>

I just try your code, there are no error. But the system still not redirecting to index page after i click login/masuk button. Help me please, Sir. — IMAM IHSANI, Apr 27 '23 at 03:17
How have you debugged where the code gets to? Have you used `echo` at various places to see if the code gets to that point? — Professor Abronsius, Apr 27 '23 at 06:18

Can't login using decrypted password (PHP)

1 Answers1