How to Correctly Verify Salted Passwords for Member Login?

How to Verify a Salted Password for Member Login

In secure member sites, passwords are stored as salted hashes in the database, adding an extra layer of protection. However, this can make login verification challenging for developers.

To verify a salted password for member login, several steps are involved:

1. Retrieving the Salt:

   • Use a SELECT query to retrieve the salt associated with the member's username.

2. Salting the User's Input Password:

   • Concatenate the salt with the user's input password.

3. Hashing the Salted Password:

   • Hash the salted password using the same hashing algorithm used for storing passwords in the database.

4. Checking Against Stored Hash:

   • Execute another SELECT query to retrieve the stored hash for the user and compare it to the computed hash from the input password.

Adjusted Code for Member Login:

In the provided code, the main issue involves the incorrect check for $result === false. The correct approach is to check whether $result is actually an empty result set, as an empty result set will still evaluate to true in PHP.

// ... existing code

$result = mysqli_query($connect, $saltQuery);
if (mysqli_num_rows($result) === 0){
    die(mysqli_error());
}
$row = mysqli_fetch_assoc($result);
$salt = $row['salt'];

// ... remaining code

This adjusted code will correctly check for the existence of a member with a matching username and password while ensuring proper password verification.

The above is the detailed content of How to Correctly Verify Salted Passwords for Member Login?. For more information, please follow other related articles on the PHP Chinese website!