0

I'm trying to figure out how to use password_hash on register and login systems.

Currently I'm using password_hash like this to register my users.

$pass = $_POST['Pass']; 
$hashed_password = password_hash($pass, PASSWORD_DEFAULT); 

$stmt = $conn->prepare("INSERT INTO `usuario`(`Nick`, `Nombre_u`, `Apellidos`, `e-mail`, `Password`, `Domicilio`, `Colonia`, `Codigo_Postal`, `Cuidad`, `Estado`, `Telefono`) VALUES (?, ?, ?, ?, ?, ? , ?, ?, ?, ?, ?)"); 
$stmt->bind_param( "sssssssisss", $nick, $nombre, $apellidos, $mail, $hashed_password, $domicilio, $colonia, $cp, $cuidad, $estado,  $telefono); 
$stmt->execute(); 
header("Location: ../Registrado.php?Done=Welcome");

And I'm loging my users this way.

$usuario = $_POST["Nick"];
$contra = $_POST["Pass"]; 
$hashed_password = password_hash($contra, PASSWORD_DEFAULT);  
$stmt = $conn->prepare("SELECT Nick, Password FROM usuario WHERE Nick = ? AND Password= ?");
$stmt->bind_param( "ss", $usuario, $hashed_password); 
$stmt->execute();
$stmt->store_result(); 
$stmt->bind_result($a, $b); 
if($stmt->fetch() == 0){ 
    header("Location: ../Entrar.php?message=Error");
    exit();
} 
else {  
    session_start(); 
    $_SESSION['Usuario'] = $a; 
    $_SESSION['estado'] = 'Autenticado';  
    header("Location: ../../Index.php"); 
    exit();
}

The way I'm Understanding It's that my query will do something like this.

First will take my input Eg:"123", then hashed_password will turn my input into Eg:"$2y$10$BvFW3ott5f7JvZ4rCa", And my query will do his work like this.

SELECT Nick, Password FROM usuario WHERE Nick = 'User' AND Password= '$2y$10$BvFW3ott5f7JvZ4rCa'

But I'm Still returning to my Login Form instead log in my user.

What am I doing wrong?

Mugen
  • 57
  • 1
  • 5
  • login on SELECT requires `password_verify()` and not `password_hash()`. – Funk Forty Niner Mar 05 '17 at 19:38
  • plus, your password column's length is too short. Best you go back to reading the manuals and follow its syntax "to the letter". – Funk Forty Niner Mar 05 '17 at 19:39
  • `password_hash()` will produce a different hash every time you use it, even for the same password. You need to get the password hash for the username and then, as the other comments mentioned, verify it with `password_verify()` in your code instead. – M. Eriksson Mar 05 '17 at 20:03
  • Answered the same question in this [answer](http://stackoverflow.com/a/38422760/575765). Hope it helps. – martinstoeckli Mar 05 '17 at 20:24

1 Answers1

5

Ok I made this work with password_verify() 

$usuario = $_POST["Nick"];
$contra = $_POST["Pass"];   
$stmt = $conn->prepare("SELECT Nick, Password FROM usuario WHERE Nick = ?");
$stmt->bind_param( "s", $usuario); 
$stmt->execute();
$stmt->store_result(); 
$stmt->bind_result($a, $b);   

if($stmt->fetch() == 0){ 
    header("Location: ../Entrar.php?message=Error");
    exit();
}
else {  
    if(password_verify($contra, $b)) {
        session_start(); 
        $_SESSION['Usuario'] = $a; 
        $_SESSION['estado'] = 'Autenticado';  
        header("Location: ../../Index.php"); 
        exit; 
    }
    else{ 
        header("Location: ../Entrar.php?message=Error");
        exit;
    }
}

Thank you for all those comments. And yes martinstoeckli that was the answer to my question thank you

Community
  • 1
  • 1
Mugen
  • 57
  • 1
  • 5