I'm using a script that ircmaxell wrote called password_compat. I thought I followed his instructions correctly, but I cannot seem to get my password verified using password_verify($password, $hash).
The hashed password saved in my database is;
$2y$10$zYpSzIj7kTPv3H7wDI/uXSYqi1se46b38uumP6SM4XGMmsjU3q
I'm using PDO to grab my hashed password and using password_verify($password, $hash) to compare what the login form is posting. It's my understanding that BRCYPT is not a hashing function so password_verify($password, $hash) will do it's magic. I have no idea how the salt is created, but I would think it creates a custom salt for every new password, but how it can compare it to my saved password baffles me. How does it match the correct salt with the password? This whole not saving the salt in my database kind of confuses me, lol. Here is the code I'm using;
bcrypt
if($login->verifyip($_SERVER['REMOTE_ADDR']))
{
require_once 'password.php'; //password_compat supplied file
$username = $_POST['username'];
$password = $_POST['password'];
$dbpassword = $login->GetPassword($username); // pull saved password from db
// verify posted password with saved password
if(password_verify($dbpassword, $password))
{
echo 'verified';
}
else
{
echo 'not verified';
}
}
PDO
public function GetPassword($username)
{
$passwordSQL = 'CALL get_password(:_user)'; // using stored procedure
try
{
$pdo = new PDO('my login stuff');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$password = $pdo->prepare($passwordSQL);
$password->bindParam(':_user',$username);
$password->execute();
$fetch = $password->fetchColumn(0);
$password->closeCursor();
return $fetch;
}
catch(PDOException $e)
{
return 'error' . $e->getMessage();
exit();
}
}
I removed $hash like blender suggested.
Thanks for having a look :)
