0

I have question about valid hashing passwords:

login.php

$login = $_POST['login'];
$password = $_POST['password'];
$hash = password_hash($password, PASSWORD_DEFAULT);
if(!empty($login) && !empty($password) && password_verify(??){

I want to make secure login and I know that I have to verify the inputted password with existing hash (stored in database?). Also I know that bcrypt everytime makes new hash (because of different salt size etc).

The problem is that I don't know how to put this hash into database because I don't want to register new users, I have static list of users (exactly two: admin and user).

I tried manually copy/paste hash but it wouldn't work as I mentioned earlier that every time I run script new hash is created.

Can anyone help me how to put bcrypt hash in database (only once) so I can only check if inputted password is same as the one in database?

Do I need extra variables to store this hash?

EDIT:

login.php

<?php
session_start();
include("log.php");
include("pdo.php");
$login = $_POST['login'];
$password = $_POST['password'];

$adminHash = '$2y$10$lxPRtzzPDUZuPlodhU4QquP.IBrGpkjMNplpNgN9S1fEKd64tJ5vm';
$userHash = '$2y$10$Klt345wT66vA.4OAN5PEUeFqvhPQJ4Ua/A4Ylpc1ZcnJZv/hafgSu';

if(!empty($login) && !empty($password) && (password_verify($password, $adminHash) || password_verify($password, $userHash))){
    $query = $pdo->prepare('SELECT * FROM xx WHERE login = ? AND admin = ?');
    $query->execute(array( $login, 1));
    $result = $query->fetchAll();
    if(!empty($result)) {
        $_SESSION['logged_admin'] = 1;
    }
    else {
        $query->execute(array( $login, 0));
        $result = $query->fetchAll();
        if(!empty($result)) {
            $_SESSION['logged_user'] = 1;
        }
        else {
            $_SESSION['logged_error'] = 1;
        }
    }
}
else $_SESSION['logged_error'] = 1;
header("Location:index.php");

?>

it seems to be working but i dont know if it's best/safest solution.
With more passwords it will be too complicated i guess, still looking for best option!
What if i need more users? now every user have same hash and it's dangerous i get it, how to make it safe? generate hash for every user and make array or hashes?

Improve this question
5
  • Just store the hash wherever you store the static user list, and then compare the submitted password with the hash using password_verify Commented Dec 11, 2016 at 12:14
  • I think this post describes the best way to go about this: stackoverflow.com/questions/4795385/… Commented Dec 11, 2016 at 12:15
  • @JimL thanks for answer, you mean storing it in script? when i said about static list of users i was talking about database. Where should i store that kind of information? any idea? Commented Dec 11, 2016 at 12:19
  • @ChristopherHughes so if i want to have 10 users i need store 10 hashes? and also i need to password_verify with everyone of them? i know there is better answer for this. Commented Dec 11, 2016 at 12:36
  • @dmnmlk if you have the users in the databse then add the hashes to the same table Commented Dec 11, 2016 at 18:48

1 Answer 1

Reset to default
1

You fetch first the one that has password_hash() from your database, and then compare it with password_verify($password, $storedpassword) like this : link

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.