How to verify a password in php which was inserted into the database through manual hashing by mysql query?

Question

Is there a way to verify the password through php that is inserted into mysql database via it's own hashing method?

For example, if I manually insert a user data in a table, suppose- users table, like this:

INSERT INTO users (email, pswd) VALUES ('demo@example.com', SHA1('pass123'));

And let us assume the hashed password inside mysql database is:

+------------------------------------------+
| pswd                                     |
+------------------------------------------+
| AAFDC23870ECBCD3D557B6423A8982134E17927E |
+------------------------------------------+ 

Now, I want to use php to create a login form and when user will insert the credentials they should be able to log in. I mean, there will not be any php registration form for users; passwords will be provided manually. But how can I verify the user provided data in php against the password stored in the mysql database?

As far as I know, the password_verify() in php only works when the password is hashed using its own password_hash() function.

I have found another solution, that is to use sql query again, like this-

SELECT pswd FROM users WHERE email='$_POST["email"]' AND pswd = md5($_POST["password"]);

And then by counting the resultset for any row return from executing that mysql query and thus verify. But, this seems to me a very bad approach. I don't know whether there is any other way or not. There must have some good approach to solve this issue. Or, may be I have to use another php form to insert the data into the database.

Your suggestions are highly appreciated. Thanks.

Answer 1

If we manually insert users and hashed passwords

INSERT INTO (username, password) VALUES ('humpty',SHA1('dumpty') )

Then we do the same thing to perform a verification, in a SELECT statement

SELECT u.username
  FROM users u
 WHERE u.username = :uname            
   AND u.password = SHA1( :pword )

$sth->bindValue(':uname','humpty');
$sth->bindValue(':pword','dumpty');

If we get a row back, then the username and password matched.

---

(Note that we're using prepared statement with bind placeholders; if for some unfathomable reason we can't do that, then at a minimum, potentially unsafe values incorporated into SQL next must be properly escaped. If we don't mitigate SQL Injection vulnerabilities, then we leave our app wide open to login attempts

$username = 'humpty'' OR 1=1 -- ';
$password = 'doesntmatter';

---

SHA-1 isn't the best choice for password hashes, it's computationally inexpensive. It would be better (more cryptographically secure) to use a more computationally expensive hash algoritm, such as bcrypt.

Somewhere the question jumped the rails, and added an MD5 function as a password hash. We should not consider MD5 suitable for password hashes. Ever.

Answer 2

I suggest you use password_hash() and store the resulting hash in the database.

INSERT INTO users SET email=?, pswd=?

If you need to insert a password manually, you can use a quick command-line PHP script to convert it to a hash. For example:

<?php echo password_hash($ARGV[1], PASSWORD_DEFAULT)."\n"; ?>

Use this string when you manually insert the password to your database using phpmyadmin or mysql client.

It's a good idea to avoid putting your password into a literal string in an SQL query, even if you hash it using an SQL function. Keep in mind the whole SQL string — unhashed — is logged in the query log and the binary log.

Later, when validating a login, fetch the password hash like this:

SELECT pswd FROM users WHERE email=?

Then your PHP code has the hash. You can use password_verify().

PS: Please learn to use parameterized queries and do not use $_POST variables in your SQL queries. That's an SQL injection vulnerability.