php hashed password check not working

Question

I'm having a weird problem with hashed passwords. I've used the same script from another website on another server (linux running php) on this website (Windows running php). The login won't work, the stored hashed password doesn't match the entered password, I've echoed to check and they just don't. As fas as I can see, the code (which is the same on both) works on Linux but not on Windows, is that possible?

Here's the code (which is the same on both websites so shouldn't be the problem)

<?PHP



// get user data
$strUsername = isset($_POST['email']) ? trim(strip_tags($_POST['email'])) : null;
$strPassword = isset($_POST['password']) ? trim(strip_tags($_POST['password'])) : null;

$DBH = new PDO('database details...');

$SQL = "SELECT inj_user_email,inj_user_password,inj_user_password_salt,inj_user_id FROM inj_user WHERE inj_user_email = :username;";

if ( $strUsername == '' || $strPassword = '' )
{
 $missing = 'Please enter an email address and password';
}
else
{
 $STH = $DBH->prepare($SQL);
 $STH->bindParam(':username', $strUsername);
 $STH->execute();
 $row = $STH->fetch();
 if ($STH->rowCount() > 0) {
   $verify_password = hash('sha512' , $strPassword.$row['inj_user_password_salt']);
   echo $verify_password.'<br>'.$row['inj_user_password'];
   if (strcmp($verify_password , $row['inj_user_password']) == 0) 
   {
    session_start();
    session_regenerate_id(true);
    $_SESSION['user1'] = $row['inj_user_id'];
    header('Location: ../screen/');
   }
   else
   {
    $missing='Incorrect password';
    echo $missing;
 exit;
   }
 }
 else
 {
  $missing ='Email address not found';
 }
}
header('Location: ../?missing='.$missing);
?>

Thank you.

How did you store the value in the database? Are you sure the hash and the salt in the database are up to date? — , Feb 14 '15 at 13:27

NotGaeL · Accepted Answer · 2015-02-14T14:37:21.110

You are missing an = sign in your comparation:

if ( $strUsername == '' || $strPassword = '' )

should be

if ( $strUsername == '' || $strPassword == '' )

Also, this scheme uses a salt:

$row['inj_user_password_salt']

It is appended to the password before hashing. It comes from the database, so first of all make sure the salt is retrieved correctly and matches the original.

Then check out the character encoding you are using matches the original too, specially if you are using non-ascii characters. The 2 most popular non-ascii character encodings on PHP are UTF-8 (without BOM) and ISO-8859-1.

Anyway, you shouldn't be using sha for hashing (even 512 bit version)

There are safe algorithms for password hashing, such as bcrypt.

PHP >= 5.5 implements the secure password hashing/checking functions password_hash and password_verify. That's what you should be using.

(Read the FAQ on password hashing on the PHP manual for more info)

There are also password hashing libraries, such as phpass (used by popular CMSs such as WordPress and Drupal).

(In case you are interested you can check out my own tweak to add support for safer password hashing algorithms to this library)

elcodedocle - You little ripper! The embarrassing 'you missed an equals sign' fixed it, thank you. — GeneralTomfoolery, Feb 14 '15 at 14:02

php hashed password check not working

1 Answers1