-2

I'm trying to implement a secure user authentication by following this website. But I'm having trouble storing the string result from php password_hash function. I mean, this works perfectly:

$pass = "anypassyouwant";
$stored = password_hash(
    base64_encode(
        hash('sha256', $pass, true)
    ),
    PASSWORD_DEFAULT
);
// ...
if (password_verify(
    base64_encode(
        hash('sha256', $pass, true)
    ),
    $stored
)) {
    echo "TRUE";
} else {
    echo "FALSE";
}

In the real app I store "$stored" in my DB and use it to in password_verify, but all I get is a false. Since the above code works perfectly, the only reasonable explanation is the storage in the DB. Varchar and binary are not working.

Does anyone know how should I store it?

Thanks in advance.

My insert instruction:

$sql = sprintf("
    INSERT INTO tbl_usuarios (nombre, apellidos, password, email, fechanac, url_in, sexo)
    VALUES ('%s', '%s', '%s', '%s', '%s', '%s', %u)",
    $nombre,
    $apellidos,
    $pass,
    $bd->escape($_POST['email']),
    $fechanac,
    $url_in,
    $sexo
);

Where pass is the result of password_hash. I tried %s and %b (varchar and binary in the db).

DandyCC
  • 353
  • 1
  • 6
  • 20
  • where's the insert code? plus, make sure the column's long enough to accomodate the hash. Voted as unclear. – Funk Forty Niner Jul 20 '15 at 20:05
  • See @look's answer for a solution to your problem: http://stackoverflow.com/questions/29959689/php-login-using-mysql-data-and-hashed-password – Alon Bilu Jul 20 '15 at 20:11
  • Hashing and storing passwords with PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) . – Jay Blanchard Jul 20 '15 at 20:12
  • Doing `base64_encode()` in this case does not add anything to your app and it essentially shortens the length of the hash that is passed to password_hash(). sha256 hash length is 64 charaters and if you base64 encode it, it is increased to 88 characters, however bcrypt (which is used in password_hash) is limited to 55 characters and anything after that is truncated. Hope this makes sense. – Mike Jul 20 '15 at 20:24
  • possible duplicate of [What column type/length should I use for storing a Bcrypt hashed password in a Database?](http://stackoverflow.com/questions/5881169/what-column-type-length-should-i-use-for-storing-a-bcrypt-hashed-password-in-a-d) – Mike Jul 20 '15 at 20:35
  • I red the two posts Alon Bilu and Mike suggested before coming here to ask, but none of them solve my question. I just edited to add my insert code as Fred asked. Gonna read Jay's answer. – DandyCC Jul 20 '15 at 21:11
  • What is the table structure? – Mike Jul 20 '15 at 21:32
  • @Mike, that's exactly is my question. I don't know if I should choose varchar, binary, varbinary or anything else. I tried all the options I thought it was going to work, combined with differents lengths, but I got nothing. – DandyCC Jul 20 '15 at 23:03

1 Answers1

0

In the insert code you posted, you reference the variable $pass rather than stored which is the hashed and base64 encoded version of the password. You probably need to update the SQL query to use the $stored variable instead of $pass.

Also, when debugging this, it will be helpful to compare what you retrieve from the database against what the hashed input is. This may show you accidentally stored the plaintext password rather than the hashed version.

drew010
  • 68,777
  • 11
  • 134
  • 162
  • I copy the insert code from the original php file I use, the code above is just a test I wrote to see what was going on, sorry for not to be clear about that. I've been made some tests and what is stored in the DB is not what password_hash returns, no matter if I choose varchar, binary or anything else, it never stored what password_hash returns – DandyCC Jul 20 '15 at 22:54
  • 1
    @DandyCC Note that `password_hash()` uses a random salt, so the hash will be different every time. If you are comparing what the DB contains and what password_hash returns you need to make sure it uses the same salt or the result will always be different. Try setting a specific salt (for testing only) and compare what is returned from the DB to the output of password_hash(). If it is truncated, you need to increase the length of the column in your database. – Mike Jul 21 '15 at 00:17