1

I'm trying to make phpass work by using this article: https://sunnyis.me/blog/secure-passwords

When I create a new user there is no problem. Everything uploads to the database and i get a salted hash that looks something like this:

$2a$08$5i8TUw7Ego09blkDF6Fv.OVGyKMZjLJ7HzSfRZpX62EbsrcxhLbKK

But the problem is the verification when trying to log in to the account.

    <?php
    ini_set('display_errors', 1);
    error_reporting(E_ALL ^ E_NOTICE);

    require("passwordhash.php");

    if (isset($_POST['submit'])){

    if(!empty($_POST['email']) && !empty($_POST['pass'])) {


    $email=($_POST['email']);
    $password = $_POST["pass"];

/* Getting the correct matching email account for login */

    $query="SELECT * FROM user WHERE email='$email'";
    $result = $mysqli->query($query); 
    $numrows=mysqli_num_rows($result);

    if($numrows!=0){ 

    if (strlen($password) < 72) { 

/* Here is the code for retreiving the hash from database using SELECT and then trying to match it with the $password earlier in the code */

    $hasher = new PasswordHash(8, false);
    $stored_hash = "*";
    $query = "SELECT pass FROM user WHERE email='$email'";

    if($row = $result->fetch_array()) { 
            $stored_hash = $row['pass'];
            }

    $check = $hasher->CheckPassword($password, $stored_hash);

    /* at this if statement it never goes through */
    if ($check) {


    $_SESSION['email'] = $_POST['email'];

    header('Location: '. $_SERVER["REQUEST_URI"]);
    die;

    }

/* It always ends up in this else statement*/

    else {
    $feedback="Invalid username or password! $stored_hash $password";

    }

    } else  {
      $feedback="Password must be 72 characters or less";
    }
    } else {
      $feedback="Invalid username or password!";
    }
    } else {
      $feedback="All fields are required!";
    }
    }

    echo "$feedback";

    ?>

At the else statement where it always ends up I also tried to see what the variables I sent in to the function contained. $passwords contains whatever I write in as a password in the field and $stored_hash retrieves the fully hashed password from the database as intended.

This is the function:

function CheckPassword($password, $stored_hash)
    {
        $hash = $this->crypt_private($password, $stored_hash);
        if ($hash[0] == '*')
            $hash = crypt($password, $stored_hash);

        return $hash == $stored_hash;
    }

So my problem is that the something isn't working correctly since the variable $check returns an empty string. Is it possible that there is something wrong with my PHP version (5.3.23) or is there something wrong with the code?

Querty
  • 13
  • 5
  • 1
    If you're not too far along, can I recommend the password_hash() and password_verify() functions that come with PHP 5.5? http://php.net/manual/en/function.password-hash.php – Luke Jul 16 '15 at 23:05
  • Sorry I miswrote, my PHP version is 5.3.23 and since it's 5.5 I guess I won't be able to use it. I can't change version because this is done on my university's system. – Querty Jul 16 '15 at 23:08
  • 2
    There's an effort to [backport the functionality](https://github.com/ircmaxell/password_compat) to older versions. – Anonymous Jul 16 '15 at 23:09
  • I will check it out thanks – Querty Jul 16 '15 at 23:18
  • I tried to backport. The hashing works when registering but I get the same problem when trying to verify the password hash! If someone would mind taking a look at it: http://pastebin.com/z7bdKSNG – Querty Jul 16 '15 at 23:53
  • Edit in pastebin: Noticed I forgot to change varible $stored_hash = $row['pass']; to just $hash. Didn't work anyway though. – Querty Jul 17 '15 at 00:00
  • I guess this won't work since it seems the hashing won't work on lower versions than 5.3.7 – Querty Jul 17 '15 at 01:16

0 Answers0