


When Comparing Password Hashes with password_hash() and password_verify(), Which Password Should Come First?
Oct 21, 2024 am 07:05 AMPHP password_hash(), password_verify() [duplicate]
Understanding Password Comparison
When using PHP's password_hash() function to hash passwords for storage in a database, it is essential to understand how the hashed password is verified during login using password_verify().
Code Analysis
In your code, the password_hash() function hashes the password before storing it in the database. However, in the login script, you are directly comparing the un-hashed password entered by the user with the hashed password stored in the database using password_verify(). This comparison will always fail.
Correct Usage
The correct way to verify a password using password_verify() is to pass the un-hashed password entered by the user as the first argument and the hashed password stored in the database as the second argument. This will allow password_verify() to compare the two passwords correctly.
Example
Here is a modified version of your login script with the corrected password verification:
<code class="php">if($_SERVER["REQUEST_METHOD"] == "POST"){ $p_num = $_POST["username"]; $pwd = $_POST["password"]; $query = "SELECT * FROM `$user_table` WHERE `user_id` = '$p_num'"; $result = mysqli_query($connect, $query); while($row = mysqli_fetch_assoc($result)){ $user_id = $row['user_id']; $first_name = $row['first_name']; $last_name = $row['last_name']; $user_name = $first_name ." " .$last_name; $password = $row['password']; $image = $row['image']; $email = $row['email']; $program = $row['program']; $role = $row['role']; $status = $row['logged_in']; $registered = $row['registered']; // Verify the password using password_verify() if(($user_id == $p_num) && (password_verify($pwd, $password))){ $_SESSION["id"] = $user_id; $_SESSION["user"] = $user_name; $_SESSION["program"] = $program; $_SESSION["pass"] = $password; $_SESSION["image"] = $image; $_SESSION["email"] = $email; $_SESSION["role"] = $role; $_SESSION["status"] = $status; $_SESSION["registered"] = $registered; $loggedin = "UPDATE `$user_table` SET `logged_in` = 1 WHERE `user_id` = '$user_id'"; } var_dump($pwd); var_dump($password); } }</code>
Conclusion
By using password_verify() correctly, you can accurately validate user passwords during login, ensuring the security and integrity of your system.
The above is the detailed content of When Comparing Password Hashes with password_hash() and password_verify(), Which Password Should Come First?. For more information, please follow other related articles on the PHP Chinese website!

Hot Article

Hot tools Tags

Hot Article

Hot Article Tags

Notepad++7.3.1
Easy-to-use and free code editor

SublimeText3 Chinese version
Chinese version, very easy to use

Zend Studio 13.0.1
Powerful PHP integrated development environment

Dreamweaver CS6
Visual web development tools

SublimeText3 Mac version
God-level code editing software (SublimeText3)

Hot Topics

11 Best PHP URL Shortener Scripts (Free and Premium)

Working with Flash Session Data in Laravel

Build a React App With a Laravel Back End: Part 2, React

Simplified HTTP Response Mocking in Laravel Tests

cURL in PHP: How to Use the PHP cURL Extension in REST APIs

12 Best PHP Chat Scripts on CodeCanyon

Announcement of 2025 PHP Situation Survey
