stackoom
  简体   繁体   中英

change user password from hash store function to cleartext

 原文  2017-02-03 14:36:49       php/ php-password-hash

Question

im doing a tutorial about how to make a php mysql login form. now the tutorial is actualy made to good and i wold like to alter it a bit and change the login password to store cleartext instead of the hash. the hash line looks like this:

$new_password = password_hash($upass, PASSWORD_DEFAULT);

i made:

$new_password = $upass;

out of it. and it now saves the cleartext to the database but the login doesn't work.

the login part looks like this and i don't see the part where i expect the hashed-password to be converted and matched...

public function doLogin($uname,$upass)
    {
        try
        {
            $stmt = $this->conn->prepare("SELECT user_id, user_name, user_pass FROM users WHERE user_name=:uname");
            $stmt->execute(array(':uname'=>$uname));
            $userRow=$stmt->fetch(PDO::FETCH_ASSOC);
            if($stmt->rowCount() == 1)
            {
                if(password_verify($upass, $userRow['user_pass']))
                {
                    $_SESSION['user_session'] = $userRow['user_id'];
                    return true;
                }
                else
                {
                    return false;
                }
            }
        }
        catch(PDOException $e)
        {
            echo $e->getMessage();
        }
    }

2 answers

solution1
 2 ACCPTED  2017-02-03 14:42:04

The line:

if(password_verify($upass, $userRow['user_pass']))

Checks the hash of the password against the given password. As you've removed the hashing function it's comparing an un-hashed password against a clear text password.

Change it to:

if($upass == $userRow['user_pass'])

That should fix it.

Although you really should not be storing clear text passwords.

solution2
 1  2017-02-03 14:43:20

If you're not hashing the passwords anymore then you can't verify the hash

if(password_verify($upass, $userRow['user_pass']))

Should be

if($upass == $userRow['user_pass'])

Understand that this is a very bad idea . You might not understand why hashing passwords is important

For any reason, your database may be compromised and its data may be obtained by someone else. If the passwords are in what we call plain text, you will have leaked a piece of sensitive information that your users have trusted you with: their password (which is very likely to be a password shared in multiple services). This is a very serious issue.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Get new password in cleartext when a user changes it in Drupal? Is it bad practice to store the hash function used as part of the hashed password? password_verify using password_hash error to store user in session at login Store password as hash using yii laravel 9 crud user hash password Change Linux User password from PHP script Change password_hash to bcrypt Entering Hash to reset password and not Actual User Password Trouble in verifying hash password with the password user entered Take user id from php for change password
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM