1

I've been reading several posts and trying different techniques to store a password in MySQL. I've decided to use crypt and salt and I've been finally able to insert it on my database. The code used is the following:

    $cost = 10;
    $salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
    $salt = sprintf("$2a$%02d$", $cost) . $salt;
    $hash = crypt($password, $salt);
    $query = "INSERT INTO users_registered(name , password) VALUES('$name', '$hash')"; 
    mysqli_query($con, $query);

The main problem that I've been struggling for hours is how to check if the password I put is the correct... I am sure I'm doing something wrong, but I'm completely new in this field of security, and all the posts I checked haven't worked for me. This is the code I use to check:

$name = mysqli_real_escape_string( $con, $_POST['name'] );
$password = mysqli_real_escape_string( $con,$_POST["password"]);

$query = "SELECT * FROM users_registered where name='$name'";
$result = mysqli_query($con, $query);
$row = mysqli_fetch_assoc($result);
$hash=$row['password'];
if ($hash->hash==crypt($password, $hash->hash)) {
    echo "YEEEESSS";    
        }
else {
   echo "What I'm doing wrooooong!";}

The problem comes from the if, but I'm not sure what I should put :S Any help would be appreciated :)

Alvaro
  • 1,430
  • 2
  • 23
  • 41
  • 7
    `password_hash()` would be better if you're running PHP 5.5+ : http://php.net/manual/en/function.password-hash.php – CD001 Nov 20 '15 at 10:48
  • And for php<5.5 there is a link to a userland fill-in in the documentation. – VolkerK Nov 20 '15 at 10:53
  • Thanks for the quick replies! I'm using php<5.5, and gives me the error of undefined function when using `password_hash()`... @VolkerK I'll check right away! – Alvaro Nov 20 '15 at 11:00
  • 2
    @Alvaro look up https://github.com/ircmaxell/password_compat if you have PHP 5.3.7 . otherwise read up http://stackoverflow.com/questions/19103340/what-is-an-alternative-to-password-hash-for-php-5-5-5-0 – Martin Nov 20 '15 at 11:12
  • 1
    See also for below php version 5.3 : http://www.openwall.com/phpass/ – Martin Nov 20 '15 at 11:14
  • BTW, you should not use php version < 5.3. It doesn't make any sense for now. – Sergey Chizhik Nov 20 '15 at 11:31
  • what is the password column's type and most importantly its length? and is your HTML form correct with name attributes to match your POST arrays? – Funk Forty Niner Nov 20 '15 at 12:22

1 Answers1

0

As in the comments is already suggested, the best way is to use password_hash() instead of using:

$cost = 10;
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
$salt = sprintf("$2a$%02d$", $cost) . $salt;
$hash = crypt($password, $salt);

In my case, my php version was under 5.5, and I haven't been able to insert the library compatible with lower versions, even if it is the safest way!!

In order to check if my password stored was the same as the one the user inputs via $_POST, the if has to be modified as follows:

if (crypt($password, $hash) == $hash) {
   ...

and this did the trick!! Take into account that I'm just a begginer, and this method can be unsafe :)

Alvaro
  • 1,430
  • 2
  • 23
  • 41
  • 1
    Why couldn't you use the compatibility pack, just include this [php file](https://github.com/ircmaxell/password_compat/blob/master/lib/password.php). Which PHP version are you running? – martinstoeckli Nov 21 '15 at 21:11
  • Ah! I thought I had to install the hole library, and I'm doing all the tests with a GoDaddy server, which limits all my instalations... The PHP they use by default is 5.4. I can switch to php 5.5, but the command was neither recognised :S. Even though, I'll try by just using the php file! Thanks :) – Alvaro Nov 22 '15 at 09:00