Understanding Websecurity.Login in PHP
Actually I am using SQL database to develop a php website and in the database I have encrypted password the old developer was using ASP.net to build the existing website and I notice he using Websecurity.login(username, password, remember); in his asp coding so the question is in php how should I encrypt password before checking in the database ? because for example the password is 123456 and in the database it’s stored something like:
I tried hash in php:
$password = '123456'; echo $hashed_password = password_hash($password, PASSWORD_DEFAULT);
but the output is not matched with the password I have in SQL database I mean with: APIRqglSo1JVsMAa0SV+/bizLKwpLgSAdkIc5RAEyHYgIrGPHy3+u8qdsyakDvsUAA==
Any idea how should I encrypt password into order to make it same like in database so I can make login using php.
You can be sure, that if you use php
password_hash function, the output will not always be the same. Just reload the site a couple of times and you will see, that the generated password via
password_hash will change most likely every time.
Head to the doc: https://www.php.net/manual/en/function.password-hash.php
The stored password looks like some Base64 to me – but i am just assuming.
In order to check the password later, you use
password_verify -> https://www.php.net/manual/en/function.password-verify.php
password_verify requires the users input – the password, as well as the encrypted password in the database. Please keep in mind: They will not be the exactly same, if you look on the encrypted strings!
A normal procedure would be:
- The user creates an account with a user / password combination
- You store the user and the
password_hashin the database
- When the user tries to login, you select the user by the entered username
- You check via
password_verifyif the return value of that function is true, by bypassing the original entered password in the login, as well as the stored database password.