How to check login information against a db using PDO and Phpass

StackOverflow https://stackoverflow.com/questions/23315982

Domanda

I'm trying to check users hashed passwords against the ones I've saved in the database. It is almost the same issue as the this guy, but I'm trying to do it with PDO and I'm unsure how to get the hashed password from the database to check it against. Here is my code for the login page so far:

<?php
ini_set('display_errors', 1);
error_reporting(E_ALL); ini_set('display_errors', 1);

require_once "/home/carlton/public_html/PHPproject/includes/PasswordHash.php";

if ($_POST){
$form = $_POST;
$username = $form['username'];
$password = $form['password'];


try{
    $db = new PDO('mysql:host=localhost;dbname=phpproject', 'root', 'pdt1848!');
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
    catch(PODException $e){
        echo "Can't connect to the database";
    }
$sql = "SELECT * FROM users WHERE username=:username";
$query = $db->prepare($sql);
$query->execute(array(':username'=>$username, ':password'=>$stored_hash));
$results = $query->fetchAll(PDO::FETCH_ASSOC);


$check = $hash_obj->CheckPassword($password, $stored_hash);
if($check){
    print_r("Registered user");
}
else{
    print_r("Not a registered user");
}


//login here
} 
else{
?>
<form name="login" action="login.php" method="POST">
<label for "username">Username: </label>
<input type="text" name="username"/><br />
<label for "password">Password: </label>
<input type="password" name="password"/><br />
<button type="submit">Submit</button>
<button type="reset">Reset Form</button>
</form>
<?php
}
?>
È stato utile?

Soluzione 2

Pseudocode:

$q=$db->prepare('SELECT * FROM usertable WHERE username=? AND passwordhash=?');

$thehashvalue=calc_hash_of_password_according_to_your_agorithm($params);
$theusername=the_username_that_was_posted();

$q->execute(array($theusername, $thehashvalue));

$lastlogin=null;
while($r=$q->fetch(PDO::FETCH_ASSOC)) {
   # successfully authenticated
   $lastlogin=$r['lastlogin']; ## example. assumes a "lastlogin" column on "usertable"
}

if(!empty($lastlogin)) {
   # user is logged in
}else{
  # login failed
}

The hash calc function could be as simple as md5($posted_passwd) but it is good practise to salt the hash so the same password makes different hashes for different users and/or on different systems. Just make sure you use the same hash function when storing the password hash in the database.

Altri suggerimenti

That's simple.

You have to select stored password first and then verify it.

You're really just comparing the hashed password you have in your DB matches the inputted password, once it too is similarly hashed.

  • Firstly, don't use the root account to access your DB
  • Try to avoid SELECT * - just select the columns you actually need.
  • The number of tokens (:username) must equal the number of bound params (':username'=>$username) in your query. Otherwise PDO will throw an error.
  • You have not posted the class that is handling the password verification itself, but it's basically just hashing the input and comparing the two, returning a bool.
  • Incidentally, print_r is to echo out the values of variables, arrays in particular. If you're just echoing a string as a response, then just print or echo is fine.

Here is my working code for the login in case anyone else comes looking with a similar problem. The information I was looking for is at line 20, starting with $response. That allowed me to grab the password from the database, which I set equal to $stored_hash. I could then compare it using the CheckPassword function from PHPass. 

<?php
session_start();
ini_set('display_errors', 1);
error_reporting(E_ALL); ini_set('display_errors', 1);

require "/home/carlton/public_html/PHPproject/includes/PasswordHash.php";

if ($_POST){
    $form = $_POST;
    $username = $form['username'];
    $password = $form['password'];
    $hash_obj = new PasswordHash(8, false);

    try{
        $db = new PDO('mysql:host=localhost;dbname=phpproject', 'carl', 'pdt1848?');
        $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    }
        catch(PODException $e){
            echo "Can't connect to the database";
        }
    $response = $db->query("SELECT password FROM users WHERE username='$username'");
    $data=$response->fetch();
    $stored_hash = $data['password'];

    $check = $hash_obj->CheckPassword($password, $stored_hash);
    if($check){
        echo "Login successful!";
        $_SESSION['logged_in'] = true;
    }
    else{
        echo "Authentication failed. Please try again.";
    }


    //login here
}
else{
?>
<form name="login" action="login.php" method="POST">
    <label for "username">Username: </label>
    <input type="text" name="username"/><br />
    <label for "password">Password: </label>
    <input type="password" name="password"/><br />
    <button type="submit">Submit</button>
    <button type="reset">Reset Form</button>
</form>
<?php
}
?>
Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top