Help With Hashed Passwords/Verify Logins/Errors?

[LearnPHP]

Hello, I'm pretty new to php. I'm currently using WebMatrix2 trying to learn php through trial and error. Right now I'm focusing on making user logins. So far I've made a registration page that sanitizes and filters user input, hashes the password with bcrypt and a salt(wonders if the salt is good enough), and stores all information to a MySQL database. I'm trying to create the login page and thats where I'm having trouble. I understand that I need to retrieve the stored information then test it against the user input, but its not exactly working out. When I tried to test the user input against the hashed password it fails, I get the "sql query failed". Then I got rid of the hashing just to see if it would verify just plain text and I found out that it just failed completely. What I mean by failed is that whatever username and password I input, it would say "successfull password", even if I purposely input wrong information. I'm not sure if the problem is the query to the databse or the comparison between the user input and result set from the query. Any corrections or tips are welcomed, thanks in advance! Here's the code with the bcrypt:Registration.php

<?phprequire_once("db.php"); if(isset($_POST['submit'])){ $filter=array ( "username"=>array ( "filter"=>FILTER_SANITIZE_STRING, ), "password"=>array ( "filter"=>FILTER_SANITZE_STRING, ), "email"=>FILTER_VALIDATE_EMAIL, ); $result=filter_input_array(INPUT_POST,$filter);if(!$result["email"]){echo "invalid email";} $username=$result['username']; $pass=$result['password']; $email=$result['email']; $iv=mcrypt_create_iv(16,MCRYPT_DEV_URANDOM); $replace=array("+","="); $salt=str_replace($replace,".",base64_encode($iv)); $password=crypt($pass,'$2a$10$'.$salt); $sql="INSERT INTO users (username,password,email) VALUES (?, ?,?)"; $stmt=mysqli_prepare($con,$sql); mysqli_bind_param($stmt,'sss',$username,$password,$email); mysqli_stmt_execute($stmt); if(mysqli_affected_rows($con)>0) { $userid=mysqli_insert_id($con); echo "created user successfull"; $_SESSION['username']=$username; $_SESSION['userid']=$userid; } else{ echo "creation failed"; }}?>

Login.php

<?phprequire_once("db.php"); if(isset($_POST['submit'])){ $password=mysqli_real_escape_string($_POST['password']); $username=mysqli_real_escape_string($_POST['username']); $sql="SELECT username,password FROM users WHERE username=? LIMIT 1"; $stmt=mysqli_prepare($sql); mysqli_bind_param($stmt,'s',$username); mysqli_stmt_execute($stmt); if(mysqli_affected_rows($con)>0) { echo "sql query success"."<br/>"; $row=mysqli_fetch_array($sql); $hashpass=$row["password"]; $user=$row["username"]; if(crypt($password,$hashpass)==$hashpass && $username==$user) { echo "successfull password"; echo "<br/>"; } else { echo "fail pass check"; echo mysqli_error($con); } } else { echo "sql query failed."; }} ?>

[LearnPHP]

Sorry I forgot to add this one, I don't see an edit anywhere?.. I also tried this as well for the Login.php, the query works but then I get "fail pass check". When I get rid of the crypt it says "successfull password" for all input.

<?php require_once("db.php"); if(isset($_POST['submit'])){ $username=mysqli_real_escape_string($_POST['username']); $password=mysqli_real_escape_string($_POST['password']); if($sql=mysqli_query($con,"SELECT * FROM users WHERE username='$username' LIMIT 1")) { echo "successfull query"; echo "<br/>"; $row=mysqli_fetch_array($sql); $user=$row["username"]; $hashpass=$row["password"]; if(crypt($password,$hashpass)==$hashpass && $user==$username) { echo "successfull password"; echo "<br/>"; } else { echo "fail pass check"; echo mysqli_error($con); } } else { echo "sql query failed.".mysqli_error($con); } }echo mysqli_error($con);?>

[thescientist]

you can use code tags to show code, fyi.

[justsomeguy]

You need to generate the password hash the same way every time. When they register you're basically creating a random salt, and hashing the password plus the salt. When you're checking on login you're using a different salt, you're using the hashed password instead of the random salt. You should save the salt in the database so that you can use the same one to compare with later.

[jimfog]

You need to generate the password hash the same way every time. When they register you're basically creating a random salt, and hashing the password plus the salt. When you're checking on login you're using a different salt, you're using the hashed password instead of the random salt. You should save the salt in the database so that you can use the same one to compare with later.

Does that mean that every time the user login a different password is created in the database?Password+newsalt=new password stored in db

[justsomeguy]

No, you don't change the password when someone logs in. You save the hash and the salt so that you can use the same salt to calculate the hash the same way and compare it with the one in the database.

[LearnPHP]

You need to generate the password hash the same way every time. When they register you're basically creating a random salt, and hashing the password plus the salt. When you're checking on login you're using a different salt, you're using the hashed password instead of the random salt. You should save the salt in the database so that you can use the same one to compare with later.

Okay I understand what you're saying but I'm a little confused. I thought I've read(or maybe I am misunderstanding) that if you save the hashed password+salt, I could just use that as the salt when comparing the user input password since it will have the same salt? Or should I really save the salt separatley and just retrieve it from the database, then crypt it with the user input, then compare it to the stored hashed password?

[justsomeguy]

if you save the hashed password+salt, I could just use that as the salt when comparing the user input password since it will have the same salt?

That's not correct. A salt is just a string of characters, like the password. If you use a different string for the salt then you will end up with a different hash. The original password hash you save has no connection to the original password and salt, you cannot reverse the hash to get those. When you check when they log in again, in order for the hash to match what you have saved in the database you need to use the same password and the same salt. The resulting hash will only match what you have saved in the database if both the password and salt were the same, which is how you know they entered the correct password. The salt might as well be another password that the user doesn't have to type, that you just have saved in the database. If it is different then the hash you create will not match.