You're using CheckPassword
incorrectly. The first argument should be plain text; the second a hash, according to the documentation. You are setting $pass
to a hashed value, then using it as the first argument in CheckPassword
anyway.
Corrected code (untested):
include 'lib/php/PasswordHash.php';
$hash = $_GET['hash'];
$pass = $_GET['pass'];
$hasher = new PasswordHash(8, false);
// Just delete this line: $pass = $hasher->HashPassword($pass);
echo "Original:<br>" . $pass . "<br>";
$checked = $hasher->CheckPassword($pass, $hash);
echo "Hashed:<br>" . $checked . "<br>";
echo "<br>";
echo "Are they equal? <b>";
if($pass == $checked){ echo "Yep!</b>";} else{
echo "Nope. </b>";
}
P.S. I'm not sure why you are trying to get the value of $hash
from $_GET
. If you let the user specify both the password and the hash, they can fool your application into granting access. I'm assuming this is just a test and that you will use a database or other secure storage in your real app.