When Comparing Password Hashes with password_hash() and password_verify(), Which Password Should Come First?

PHP password_hash(), password_verify() [duplicate]

Understanding Password Comparison

When using PHP's password_hash() function to hash passwords for storage in a database, it is essential to understand how the hashed password is verified during login using password_verify().

Code Analysis

In your code, the password_hash() function hashes the password before storing it in the database. However, in the login script, you are directly comparing the un-hashed password entered by the user with the hashed password stored in the database using password_verify(). This comparison will always fail.

Correct Usage

The correct way to verify a password using password_verify() is to pass the un-hashed password entered by the user as the first argument and the hashed password stored in the database as the second argument. This will allow password_verify() to compare the two passwords correctly.

Example

Here is a modified version of your login script with the corrected password verification:

<code class="php">if($_SERVER["REQUEST_METHOD"] == "POST"){
    $p_num = $_POST["username"];
    $pwd = $_POST["password"];

    $query = "SELECT * FROM `$user_table` WHERE `user_id` = '$p_num'";
    $result = mysqli_query($connect, $query);
    while($row = mysqli_fetch_assoc($result)){
        $user_id = $row['user_id'];
        $first_name = $row['first_name'];
        $last_name = $row['last_name'];
        $user_name = $first_name ." " .$last_name;
        $password = $row['password'];
        $image = $row['image'];
        $email = $row['email'];
        $program = $row['program'];
        $role = $row['role'];
        $status = $row['logged_in'];
        $registered = $row['registered'];

        // Verify the password using password_verify()
        if(($user_id == $p_num) && (password_verify($pwd, $password))){
            $_SESSION["id"] = $user_id;
            $_SESSION["user"] = $user_name;
            $_SESSION["program"] = $program;
            $_SESSION["pass"] = $password;
            $_SESSION["image"] = $image;
            $_SESSION["email"] = $email;
            $_SESSION["role"] = $role;
            $_SESSION["status"] = $status;
            $_SESSION["registered"] = $registered;
            $loggedin = "UPDATE `$user_table` SET `logged_in` = 1 WHERE `user_id` = '$user_id'";
        }
    var_dump($pwd);
    var_dump($password);
}
}</code>

Conclusion

By using password_verify() correctly, you can accurately validate user passwords during login, ensuring the security and integrity of your system.

The above is the detailed content of When Comparing Password Hashes with password_hash() and password_verify(), Which Password Should Come First?. For more information, please follow other related articles on the PHP Chinese website!