2

I have a problem when decrypting passwords hashed with bcrypt. I can't login when I use this code. So, are there any mistakes?

function login(){

    if ($this->session->userdata('username')) 
    {   
        redirect('dasbor');
    }

    //fungsi login
    $valid = $this->form_validation;
    $username = $this->input->post("username");
    $password = $this->input->post("password");

    $hash = $this->db->get('users')->row('password');

    $hashp = $this->bcrypt->check_password($password,$hash);


        $valid->set_rules("username","Username","required");
        $valid->set_rules("password","Password","required");

    if ($hashp) {
        if($valid->run()) {
        $this->simple_login->login($username,$hashp, base_url("dasbor"), base_url("Auth/login"));
        }
    }
    // End fungsi login

    $data = array('title'=>'Halaman Login Admin');
    $this->load->view('admin/login_view',$data);
}

please help me to solve this problem.

Roshana Pitigala
  • 8,437
  • 8
  • 49
  • 80
kusiaga
  • 673
  • 1
  • 7
  • 18

1 Answers1

3

I know this is an old question, but I want to help others who face the same problem.

First thing first, you need to rework again on your algorithm. The password_verify() function needs 2 parameters:

  1. Password, the text that the user input in the text field before submitting the form.
  2. Hash, a hash that is already stored in your database.

The goal is to verify if Password and Hash are similar. As you know, the password_hash() will return a different result at different times even when you hash the same string. Because of that, you can not use this->db->where() active record.

So, what I would do are these simple 2 steps:

Create a function in the model (e.g. Main_model.php) for getting user data.

public function get_user($user) {
        $this->db->where('username', $user);

        return $this->db->get('user')->row_array();
    }

Get the password from the controller and use password_verify

$get_user = $this->main_model->get_user($this->input->post('username'));

if(password_verify($this->input->post('password'), $get_user['password'])){
// Success
}
else {
// Not Success
}

And one additional tip from me, don't write any active record in the Controller. It is not neat for the MVC method.

Anthony
  • 46
  • 4
  • Q: Why not just hash the code with mysql functions [password()](https://www.w3resource.com/mysql/encryption-and-compression-functions/password().php), [md5()](https://www.w3resource.com/mysql/encryption-and-compression-functions/md5().php), store the hashed value when the password is created, then use the same function at user login? Why deal with bcrypt at all? – paulsm4 Jun 30 '19 at 05:52
  • @paulsm4 that might be personal preferences. But for me, I would never use Mysql function to generate hashed passwords. Also, there are plenty of reasons why Bcrypt is safer than md5, even the salted ones. [How is Bcrypt better than md5 + salt?](https://stackoverflow.com/questions/34813483/how-is-bcrypt-better-than-md5-salt) – Anthony Jun 30 '19 at 06:04
  • 1
    @paulsm4 Because fast, *unsalted* hashes are not secure enough for password storage, as they are more or less easily prone to brute-force attacks. – deceze Jun 30 '19 at 06:04