Search code examples
phpmysqlsqlpassword-hashphp-password-hash

How to check a hashed password against database

I am looking to check the username and password that are entered are equal to the username and password stored in mysql database.

I have used password_hash() to hash the password and stored them into table. But I don't know, how to check if they are the same or not.

HTML

<!DOCTYPE HTML>  
<html>
<head>
<style>
    .error {color: #FF0000;}
</style>
</head>
<body>

<h2>PHP Form Validation Example</h2>
<p><span class="error">* required field.</span></p>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">  
Username: <input type="text" name="username">
<span class="error">* <?php echo $usernameErr;?></span>
<br><br>
Password: <input type="password" name="password">
<span class="error">* <?php echo $passwordErr;?></span>
<br><br>
<input type="submit" name="submit" value="Submit">

</form>
</body>
</html>

PHP

<?php
error_reporting(E_ALL | E_STRICT);

$servername = "localhost";
$serverUsername = "root";
$serverPassword = "";

// Create connection
$conn = mysqli_connect($servername, $serverUsername, $serverPassword);
mysqli_select_db($conn, 'users');

// Check connection
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";

if (isset($_POST["submit"])) {
    $query = mysqli_prepare($conn, "SELECT * FROM user_logons WHERE Username = ? AND Password = ?");
    mysqli_stmt_bind_param ($query , 'ss' , $username , $password);
    mysqli_stmt_execute($query);
    $username = mysqli_real_escape_string($conn, $_POST["username"]);
    $password = password_hash($_POST["password"], PASSWORD_BCRYPT);
    mysqli_stmt_close($query);

}

$usernameErr = $passwordErr = "";

mysqli_close($conn);
?>

Also, do I have to escape the password input if it is hashed?

Solution

  • You need to get the input password hashed again and before binding it with your prepare statement. You need to make sure, you are using same encryption method, which was used for storing.

    $username = mysqli_real_escape_string($conn, $_POST["username"]);
$password = password_hash($_POST["password"], PASSWORD_BCRYPT); 

mysqli_stmt_bind_param ($query , 'ss' , $username , $password);
mysqli_stmt_execute($query);

    Edited:

    As suggested by @Devon in comment, you could also use password_verify