Password verifying against database using bcrypt

Question

Im trying to verify a password against the one in the database but it doesn't work. Please see my code and let me know what's wrong.

Code for storing username and password to the database.

<?php

echo "enter the username \n";

$username = trim(fgets(STDIN));

echo "enter the password\n";

$password = trim(fgets(STDIN));

//connecting to database

$con=mysqli_connect("localhost","sqldata","sqldata","accounts");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

$salt = substr(sha1(mt_rand()),0,22);

$hashedPassword= crypt($password , '$2y$10$' . $salt);

echo $hashedPassword;

mysqli_query($con,"INSERT INTO login (username, password)
VALUES ('$username', '$hashedPassword')");

mysqli_close($con)

?>

Code for verifying password is as follows

<?php


echo "enter the username \n";

$username = trim(fgets(STDIN));

echo "enter the password\n";

$password = trim(fgets(STDIN));

//connecting to database

$db = mysql_connect("localhost","sqldata","sqldata") or die(mysql_error());


//selecting our database

$db_select = mysql_select_db("accounts", $db) or die(mysql_error());

$result= mysql_query("select * from login where username = '$username' ");

if ( !$result ) exit( "$userName wasn't found in the database!" );
$row = mysql_fetch_array( $result );

$storedPassword = $row['password'];

$salt = substr(sha1(mt_rand()),0,22);

$hashedPassword= crypt($password , '$2y$10$' . $salt);

if (crypt($hashedPassword) == $storedPassword)
{
echo "ok";
}
else
{
echo "error";
}
?>

score 1 · Answer 1 · answered May 17 '13 at 01:53

When you save you password to the database you are using:

$hashedPassword= crypt($password , '$2y$10$' . $salt);

but when you retrieve the password and check it I see a couple of things wrong:

$storedPassword = $row['password'];

$salt = substr(sha1(mt_rand()),0,22);

$hashedPassword= crypt($password , '$2y$10$' . $salt);

if (crypt($hashedPassword) == $storedPassword){/*...*/}

1, shouldn't:

$hashedPassword= crypt($password, '$2y$10$' . $salt);

be

$hashedPassword= crypt($storedPassword, '$2y$10$' . $salt);

2, It appears that you are using crypt twice:

$hashedPassword= crypt($password , '$2y$10$' . $salt);
if (crypt($hashedPassword) == $storedPassword)

so shouldn't is just be:

$hashedPassword= crypt($storedPassword, '$2y$10$' . $salt);
if ($hashedPassword == $storedPassword){/*...*/}

sorry your method doesn't work. i tried but its give me echo error $storedPassword = $row['password']; $salt = substr(sha1(mt_rand()),0,22); $hashpassword = crypt ($storedPassword, '$2y$10$' . $salt); if ($hashpassword == $storedPassword) { echo "ok"; } else { echo "error"; } ?> — hadi, May 17 '13 at 02:11

score 1 · Answer 2 · edited Aug 11 '13 at 09:45

1

This is simpler than you are thinking. The crypt format is somewhat clever: it includes the salt as the start of the crypted password, in the form (method)(salt)(hash).

When using crypt(), it only looks at (method)(salt) and uses them to return (method)(salt)(hash), so to verify a password, all you need to do is pass the crypted password as the salt and see if the result matches. That is to say,

crypt($testPassword, $hashedPassword) === $hashedPassword

edited Aug 11 '13 at 09:45

answered May 17 '13 at 16:09

James

1,844
1
16
18

thank you it work with `crypt($testPassword, $hashedPassword) === $hashedPassword` – hadi May 18 '13 at 19:56

Password verifying against database using bcrypt

2 Answers2

Linked