This question already has an answer here:
I use PHP's password_hash and bcrypt algorithm to hash my passwords. They are in MySQL database.
password_hash($password, PASSWORD_BCRYPT);
As obvious every hash generated by this function is different. But is it really necessary, to identify user by email/login or something to grab his hash from database and then verify it with PHP's password_verify()?
Is it really necessary to make this query and then check?
I mean, is it possible to check hash before, and after only do query to check if it matches this one in MySQL?
Or something else maybe? I remember years ago I used something like checking inside query, like
WHERE login = $login and pass = PASSWORD($password)
Especially I mean this PASSWORD($password)?
Is there other option than fetch user's hash from Database and then verify this hash with password_verify()?
</div>
