mysql - Trying to create a page that if it's the first time logging in checks against a plain text password else checks against a hashed pass (php) -


dang title bad.

i working on site bunch of users imported use of csv file. csv file includes first name, last name, email etc. before file uploaded db running through program takes last name , appends last 4 digits of 7 digit number in csv , assigning password value. when user logs in first time redirects page enter new password gets hashed , stored in db using password_hash function. redirects them home page.

on sign in page first checks against db plain text password entered (i know terrible way of doing , i'm trying find way this... leave answers well!) if returns no results query's db hashed pass , stores in variable. run password_verify function , fails when know entered in right pass. var_dump(ed) hashed var , echoed pass entered run through password_hash function. don't match , don't know why. here relevant code. 

    if (!empty($_post)){       $lname = $_post['lname'];     $pass = $_post['pass'];      //region prepare mysqli statement , run     //prepare query     $stmt = $con->prepare("select id, lname, password users lname = ? , password = ?");      //bind parameters     $stmt->bind_param("ss", $lname, $pass);      //run query     $stmt->execute();      //get results     $results = $stmt->get_result();      //make results usable     $row = $results->fetch_object();         //endregion      //check make sure results returned , stores user id session variable if true     if (!empty ($row)){         $_session['user'] = $row->id;         unset($_post);          header('location: home.php');            }elseif (empty ($row)){        $hasho=$con->query('select password users lname = "' .$lname. '"');     $hash = $hasho->fetch_object();      $passh = password_hash($pass, password_default);     if ($passh == $hash) {         $_session['user'] = $row->id;     unset($_post);      header('location: home.php');   } else {     echo "invalid credentials"; }     } }

i'm sure i'm doing stupid code.

thank you!

you cannot use function password_hash() verify password, because of salt randomly choosen.

$passh = password_hash($pass, password_default); if ($passh == $hash) { // hashes never comparable

instead should use password_verify() function check password:

if password_verify($pass, $hash) {

-

Comments

Post a Comment

Popular posts from this blog

OpenCV OpenCL: Convert Mat to Bitmap in JNI Layer for Android -

there several posts converting mat bitmap using utils.mattobitmap() function. i'm assuming function can called in java layer after importing utils class. i want transfer data memory address pointed uint32_t* bmpcontent; in code below. jniexport void jnicall java_com_nod_nodcv_nodcvactivity_runfilter( jnienv *env, jclass clazz, jobject outbmp, jbytearray indata, jint width, jint height, jint choice, jint filter) { int outsz = width*height; int insz = outsz + outsz/2; androidbitmapinfo bmpinfo; if (androidbitmap_getinfo(env, outbmp, &bmpinfo) < 0) { throwjavaexception(env,"gaussianblur","error retrieving bitmap meta data"); return; } if (bmpinfo.format != android_bitmap_format_rgba_8888) { throwjavaexception(env,"gaussianblur","expecting rgba_8888 format"); return; } uint32_t* bmpcontent; if (androidbitmap_lockpixels(env, outbmp,(void**)&bmpcontent)...
Read more

android - org.xmlpull.v1.XmlPullParserException: expected: START_TAG {http://schemas.xmlsoap.org/soap/envelope/}Envelope -

i trying hit soap api in application login purpose , getting above mentioned error , can 1 tell me going wrong , first time soap apis. here code hit soap :- vector<object> args = new vector<object>(); hashtable<string, object> hashtable = new hashtable<string, object>(); hashtable.put("email", "mss.siddhart28@gmail.com"); hashtable.put("password", "siddharth"); args.add(hashtable); soapserializationenvelope envelope = new soapserializationenvelope( soapenvelope.ver11); envelope.dotnet = true; envelope.xsd = soapserializationenvelope.xsd; envelope.enc = soapserializationenvelope.enc; (new marshalhashtable()).register(envelope); httptransportse androidhttptransport = new httptransportse( "http://tempuri.org/", 15000); androidhttptransport.debug = true; string result = ""; try { soapobject request = new soapobject("http:...
Read more

python - How to remove the Xframe Options header in django? -

i have made page has iframe . inside iframe want show multiple different links article facebook, or news, or youtube video or other possible url. but, due xframe header, unable so. referred following link: https://docs.djangoproject.com/en/1.8/ref/clickjacking/ , django xframeoptionsmiddleware (x-frame-options) - allow iframe client ip but didn't help. my settings.py file's middleware_classes is: middleware_classes = ( 'django.contrib.sessions.middleware.sessionmiddleware', 'django.middleware.common.commonmiddleware', 'django.middleware.csrf.csrfviewmiddleware', 'django.contrib.auth.middleware.authenticationmiddleware', 'django.contrib.auth.middleware.sessionauthenticationmiddleware', 'django.contrib.messages.middleware.messagemiddleware', 'django.middleware.clickjacking.xframeoptionsmiddleware', ) from http://django-secure.readthedocs.org/en/latest/middleware.html , found using ...
Read more