Win a copy of Succeeding with AI this week in the Artificial Intelligence and Machine Learning forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Liutauras Vilda
  • Junilu Lacar
Sheriffs:
  • Tim Cooke
  • Jeanne Boyarsky
  • Knute Snortum
Saloon Keepers:
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Carey Brown
  • Piet Souris
Bartenders:
  • salvin francis
  • fred rosenberger
  • Frits Walraven

php decrypt password does not work

 
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
encrypt the password in the database using the function password_hash()

in the solucioncontroller.php I try to verify the encrypted password but it does not work



in the model solucion.php I search for the user and the password entered in the login view



in the login view is the form where you enter the username and password



when entering the username and password, the data is deleted and I remain in the login view
 
Saloon Keeper
Posts: 11918
253
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

ives rodriguez wrote:encrypt the password in the database using the function password_hash()


You mean "hash the password". Encryption is a completely different concept and you should not encrypt passwords.

The 'pass' column of your database should not hold the password that the user registered with, but the hash that was created using password_hash().
 
Rancher
Posts: 4552
47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And you should then hash the password passed in for the Login attempt, and then use that in your query along with the username/id.
There's no reason to actually get the hashed password from the database.
 
Stephan van Hulst
Saloon Keeper
Posts: 11918
253
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't think that's true. verify_password() performs the hashing itself, and then compares the hash with the given hash. So you need to pass it the entered password and the hash from the DB.
 
Dave Tolls
Rancher
Posts: 4552
47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Oh, not a fan of actually reading stuff like that out of the DB, but I suppose this is a standard PHP thing?
 
Stephan van Hulst
Saloon Keeper
Posts: 11918
253
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well... how are you going to verify the hash without getting it from the database first? I'm pretty sure the database doesn't know the key derivation algorithm that was used to create the hash.
 
Dave Tolls
Rancher
Posts: 4552
47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You hash the password supplied before handing it to the DB.



Essentially, there is no need at all for the DB to supply the hashed password.
I mean it's not a biggie, it's just there is no need for that data to ever leave the database once it's been put in there.
 
Stephan van Hulst
Saloon Keeper
Posts: 11918
253
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There is. Most key derivation algorithms store metadata in the hash that is needed to hash the password a second time. If you don't retrieve the hash, you don't know the iteration count and initialization vector (and maybe not even the algorithm itself), so the new hash will be completely different from the one in the database.

Even if you stored these data separately from the hash, you would still have to retrieve them from the DB before you could authenticate the user.
 
Sheriff
Posts: 21922
106
Eclipse IDE Spring VI Editor Chrome Java Ubuntu Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's not just these PHP functions that work like this, BCrypt and a lot of other libraries work in exactly the same way. The trick is that if you hash the password again, you will not get the same result, which is more secure (harder to brute-force). That makes database look-ups based on the hash impossible.

Ives, why do you use htmlentities(addslashes(...)) for your username and password? You already use PDO binding to prevent SQL injection, and you don't render them in the browser either. I'm even inclined to say that this is the reason why it doesn't work - the password you fill in will not be the password that's used in the verify step if this transformation changes the password.
 
Dave Tolls
Rancher
Posts: 4552
47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Rob Spoor wrote:It's not just these PHP functions that work like this, BCrypt and a lot of other libraries work in exactly the same way. The trick is that if you hash the password again, you will not get the same result, which is more secure (harder to brute-force). That makes database look-ups based on the hash impossible.



No, fair enough.
It has been a couple of years (thinking about it, more like 4) since I last had to deal with this side of things...

Note to self - don't rely on dodgy memory.
;)
 
Stephan van Hulst
Saloon Keeper
Posts: 11918
253
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Rob Spoor wrote:It's not just these PHP functions that work like this, BCrypt and a lot of other libraries work in exactly the same way.


As a matter of fact, I think PHP uses BCrypt internally.
 
The moth suit and wings road is much more exciting than taxes. Or this tiny ad:
Two software engineers solve most of the world's problems in one K&R sized book
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
    Bookmark Topic Watch Topic
  • New Topic