Home > Article > Backend Development > When Comparing Password Hashes with password_hash() and password_verify(), Which Password Should Come First?
When Comparing Password Hashes with password_hash() and password_verify(), Which Password Should Come First?
- Patricia ArquetteOriginal
- 2024-10-21 07:05:30271browse
PHP password_hash(), password_verify() [duplicate]
Understanding Password Comparison
When using PHP's password_hash() function to hash passwords for storage in a database, it is essential to understand how the hashed password is verified during login using password_verify().
Code Analysis
In your code, the password_hash() function hashes the password before storing it in the database. However, in the login script, you are directly comparing the un-hashed password entered by the user with the hashed password stored in the database using password_verify(). This comparison will always fail.
Correct Usage
The correct way to verify a password using password_verify() is to pass the un-hashed password entered by the user as the first argument and the hashed password stored in the database as the second argument. This will allow password_verify() to compare the two passwords correctly.
Example
Here is a modified version of your login script with the corrected password verification:
<code class="php">if($_SERVER["REQUEST_METHOD"] == "POST"){
$p_num = $_POST["username"];
$pwd = $_POST["password"];
$query = "SELECT * FROM `$user_table` WHERE `user_id` = '$p_num'";
$result = mysqli_query($connect, $query);
while($row = mysqli_fetch_assoc($result)){
$user_id = $row['user_id'];
$first_name = $row['first_name'];
$last_name = $row['last_name'];
$user_name = $first_name ." " .$last_name;
$password = $row['password'];
$image = $row['image'];
$email = $row['email'];
$program = $row['program'];
$role = $row['role'];
$status = $row['logged_in'];
$registered = $row['registered'];
// Verify the password using password_verify()
if(($user_id == $p_num) && (password_verify($pwd, $password))){
$_SESSION["id"] = $user_id;
$_SESSION["user"] = $user_name;
$_SESSION["program"] = $program;
$_SESSION["pass"] = $password;
$_SESSION["image"] = $image;
$_SESSION["email"] = $email;
$_SESSION["role"] = $role;
$_SESSION["status"] = $status;
$_SESSION["registered"] = $registered;
$loggedin = "UPDATE `$user_table` SET `logged_in` = 1 WHERE `user_id` = '$user_id'";
}
var_dump($pwd);
var_dump($password);
}
}</code>
Conclusion
By using password_verify() correctly, you can accurately validate user passwords during login, ensuring the security and integrity of your system.
The above is the detailed content of When Comparing Password Hashes with password_hash() and password_verify(), Which Password Should Come First?. For more information, please follow other related articles on the PHP Chinese website!