Search code examples
phpformsauthenticationphp-password-hash

Hashing and verifying user in login form PHP

I've created a simple login/registration form. The registered information is stored in a .txt file (this is for educational purposes only not real use).

I am hashing the registered input before I put it in the.txt file. When the user logs in I want to use password_verify to check the hash. If the hash is the same as the login input the user is verified and should therefore be logged in.

With the current code, even if the login is the same as what's stored in the.txt file it jumps straight to the }else statement that says username and/or password is incorrect.

EDIT: If I enter username as 123 and password as 123 the textfile shows:

$2y$10$VeZB8AZmL9lAfRQ1qKBxEug8A3RrPxM9JlOAo9prw/UOWU4.XpdqC,$2y$10$kU5AvH4hTgE1cvHmTItIU.pnTsbYvKH9bLl3Bxfy4ig7QZKdVVV46,

I am new to PHP and programming in general and any help is appreciated :)

    // GETS FORM INPUT  
  if(isset($_POST['username']) && $_POST['password']){
    $username = $_POST['username'];
    $password = $_POST['password'];
   
    $hashName = password_hash($username,PASSWORD_DEFAULT);
    $hashPass = password_hash($password, PASSWORD_DEFAULT);
  }

// LOGIN  
   if($_POST['btn'] == 'Login'){
      userExist($username, $password, $hashName, $hashPass);     
      }

// REGISTER
    else if(($_POST['btn'] == 'Register')){
      $fh = fopen("logininfo.txt", 'a') or die("Unable to open file");

      $login = <<<_END
        $hashName,$hashPass,
        _END;
        fwrite($fh, $login) or die("Unable to write to file");
        fclose($fh);
    }

//VERIFIES USER
    function userExist($username, $password, $hashName, $hashPass){

      $accounts = file_get_contents('logininfo.txt');
      $accArray = explode(',', $accounts);

      print_r($accArray);
      if((password_verify($hashName, $accArray[0])) && (password_verify($hashPass, $accArray[1]))){
        header('Location: index.php');
      }else{
        echo "username and/or password is incorrect";
      }
    }
Solution

  • There's too much hashing here.

    When registering a user you store the unhashed user name and the password hashed with password_hash()

    When logging in you use the unhashed user name to recover the hashed password for that user, then use password_verify() to compare the unhashed password the user has given you with the hashed password you stored.

    password_hash() adds a random salt to the password and stores the salt and the generated hash in the resulting string. Even if you hash the same password twice you'll get a different result each time.