PHP PDO Error when fetching hashed strings from SQL table

Question

As I was changing my MySQLi to PDO , I encountered an error when fetching hashed strings from my users table.

This was the code I used before:

CheckPassword VERIFIES VALID USING MYSQLI

$mysqli = new mysqli("localhost","_USER_","_PASS_","_DB_");

$username = '_USERNAME_';
$pass = '_PASSWORD_';
$sql = "SELECT * FROM `users` WHERE username='$username' LIMIT 1";
$result = $mysqli->query($sql);
if($assoc = $result->fetch_assoc()){
    $db_pass = $assoc['userpass'];

    require 'PasswordHash.php';
    $hash_cost_log2 = 8;
    $hash_portable = FALSE;
    $hasher = new PasswordHash($hash_cost_log2, $hash_portable);

    if($hasher->CheckPassword($pass, $db_pass)) {
       echo "valid"; // VERIFIES VALID
    } else {
       echo "invalid";
   }
}

The reason why I switched to PDO was to prevent SQL Injections .

But now: CheckPassword VERIFIES INVALID USING PDO

$pdo = new PDO('mysql:dbname=_DB_;host=localhost', '_USER_', '_PASS_',
array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));

$username = '_USERNAME_';
$pass = '_PASSWORD_';
$stmt = $pdo->prepare('SELECT * FROM `users` WHERE username = :u LIMIT 1');
$stmt->bindParam(':u', $username);
$stmt->execute();
if($fetch = $stmt->fetch(PDO::FETCH_ASSOC)){
    $db_pass = $fetch['userpass'];

    require 'PasswordHash.php';
    $hash_cost_log2 = 8;
    $hash_portable = FALSE;
    $hasher = new PasswordHash($hash_cost_log2, $hash_portable);

    if($hasher->CheckPassword($pass, $db_pass)) {
       echo "valid";
    } else {
       echo "invalid"; // VERIFIES INVALID
   }
}
}

How is it that; MySQLi fetches the hashed string different compared to PDO ? No matter what encryption I use for hashing the passwords, it CANNOT validate them as true when fetching using PDO , BUT only when fetching using MySQLi ?

Answer 1

The reason because when you comparing the password that the user enter and the password that in the database , its different , the pass that the user enter to log in to his account is not hashed while the one in the database is , so we need a way to hash the entered pass and validate it with the already hashed pass in the database . How to do that ? here

This is an example from a code that i use in my Control panel :

 <?php 

   // connect to your database

    if(isset($_POST['btn-login']))
        {

            $User_name = $_POST['userlogin'];
            $password_user = $_POST['pass'];

            $FetchUserData = $conn->prepare("SELECT * FROM users WHERE userlogin = ?");
            $FetchUserData->execute(array($User_name));
            $FetchedData = $FetchUserData->fetch(PDO::FETCH_ASSOC);

            if ($FetchedData)
                    {
                        $password = $FetchedData['userpassword']; // Save the fetched password inside variable 
                        $isPasswordCorrect = password_verify($password_user, $password); 

                        if( $password_user == $isPasswordCorrect )
                            {
                                $_SESSION['login_user']=$User_name;
                                header("location: home.php");
                            }
                        else 
                            {
                                echo "Password is wrong":
                            }

                    }
            else
                {
                    echo "User is not exist ";
                }
        }
?> 

This Code line is the code used to hash the enterd pass with the exist pass in the database :

$isPasswordCorrect = password_verify($password_user, $password); 

Small explanation :

password_verify(parameterA,parameterB)

• parameterA : The password that you want it to be validate .

• parameterB : the password that you want it to be validated with .( database that is stored in the database )

Hope this answer be helpful for you .