Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
852 views
in Technique[技术] by (71.8m points)

mysql - PHP and SQL Hashing Help: What am I doing wrong?

First off, I am fairly new to coding in general so the idea of hashing is slightly confusing. Essentially, I am trying to hash a password in order to store it in a database so I don't have the password in plain text (I am told this is the best way to do it although I don't think it would be that large of a problem if the passwords weren't hashed as this is only being used in a small group of people that I could inform not to use passwords they care about but I was still advised to do this).

I have looked up a few guides and could use some help with understanding this. I will include the way I am hashing the passwords and how I am pulling them out of the database in order to help understand this problem. Apologies ahead of time if this is a stupid question. Just a heads up, I don't really understand this which is why I am asking the question.

NOTE: Included variables such as $login_username and $login_password are being properly pulled, I just didn't want to include them as it would clutter up this mess of a post even more.

Register user (have tried password_default and password_bcrypt but I don't see a difference):

require_once 'database.php';
    $hash_employee_password = password_hash($employee_password, PASSWORD_DEFAULT);

    $query = "INSERT INTO employee
                 (employee_id, employee_first_name, employee_last_name,
                 employee_username, employee_email, employee_password)
              VALUES
                 (:employee_id, :employee_first_name, :employee_last_name, 
                 :employee_username, :employee_email, :employee_password);";

    //VALUES (".$employee_id.", '" . $employee_first_name."', '" . $employee_last_name . "', '".$employee_username."', '".$employee_email."', '" . "$employee_password');";

    $statement = $db->prepare($query);
    $statement->bindValue(':employee_id', $employee_id);
    $statement->bindValue(':employee_first_name', $employee_first_name);
    $statement->bindValue(':employee_last_name', $employee_last_name);
    $statement->bindValue(':employee_username', $employee_username);
    $statement->bindValue(':employee_password', $hash_employee_password);
    $statement->bindValue(':employee_email', $employee_email);
    $statement->execute();
    $statement->closeCursor();

    //echo $query;
    $message = 'You have been successfully registered. Contact your manager in order to request account confirmation.';
    include ('success.php');

Record Login:

require_once 'database.php';
include 'register_user.php';

$pwordQuery = "SELECT employee_password from employee where employee_username = :login_username";
$pwstatement = $db->prepare($pwordQuery);
$pwstatement->bindValue(':login_username', $login_username);
$pwstatement->execute();
$result = $pwstatement->fetch();
$pwstatement->closeCursor();


echo $result[0];

if(password_verify($login_password, $result[0]))
{
    echo ' TRUE';
}
else
{
    echo ' FALSE ';
}   

The problem is: I am entering the proper username and password, but am getting the result of "FALSE" echoed out. Let me know if you have any ideas. Disregard the fact that I have a ton of work to do such as making my queries into functions and calling them that way... That's saved for a later date.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

"password column's length is what? if it's anything less than 60, mysql failed on you silently. 9 times out of 10, that's what the problem is. If so, then you'll need to start all over again by clearing your db and create a new hash. – Fred -ii- 13 mins ago"

which I was right about all along:

@Fred Well it looks like having the column length being 45 was a bad idea and that was my only problem. Thanks for the help, not entirely sure how this site works so I don't know how to give you rep or anything."

As per the manual on the password_hash() function:

http://php.net/manual/en/function.password-hash.php

PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...