Hashing and verifying user in login form PHP

Question

I've created a simple login/registration form. The registered information is stored in a .txt file (this is for educational purposes only not real use).

I am hashing the registered input before I put it in the.txt file. When the user logs in I want to use password_verify to check the hash. If the hash is the same as the login input the user is verified and should therefore be logged in.

With the current code, even if the login is the same as what's stored in the.txt file it jumps straight to the }else statement that says username and/or password is incorrect.

EDIT: If I enter username as 123 and password as 123 the textfile shows:

$2y$10$VeZB8AZmL9lAfRQ1qKBxEug8A3RrPxM9JlOAo9prw/UOWU4.XpdqC,$2y$10$kU5AvH4hTgE1cvHmTItIU.pnTsbYvKH9bLl3Bxfy4ig7QZKdVVV46,

I am new to PHP and programming in general and any help is appreciated :)

    // GETS FORM INPUT  
  if(isset($_POST['username']) && $_POST['password']){
    $username = $_POST['username'];
    $password = $_POST['password'];
   
    $hashName = password_hash($username,PASSWORD_DEFAULT);
    $hashPass = password_hash($password, PASSWORD_DEFAULT);
  }

// LOGIN  
   if($_POST['btn'] == 'Login'){
      userExist($username, $password, $hashName, $hashPass);     
      }

// REGISTER
    else if(($_POST['btn'] == 'Register')){
      $fh = fopen("logininfo.txt", 'a') or die("Unable to open file");

      $login = <<<_END
        $hashName,$hashPass,
        _END;
        fwrite($fh, $login) or die("Unable to write to file");
        fclose($fh);
    }

//VERIFIES USER
    function userExist($username, $password, $hashName, $hashPass){

      $accounts = file_get_contents('logininfo.txt');
      $accArray = explode(',', $accounts);

      print_r($accArray);
      if((password_verify($hashName, $accArray[0])) && (password_verify($hashPass, $accArray[1]))){
        header('Location: index.php');
      }else{
        echo "username and/or password is incorrect";
      }
    }

There is normally no requirement to hash usernames, only passwords — ADyson, Feb 23 '22 at 18:18
And the storage of logins is a job for a database, not file storage. There's no point educating yourself to use such an unrealistic storage scenario. A simple database would be trivial to set up, and make your life much easier — ADyson, Feb 23 '22 at 18:19
Also since we can't see what the exact content of your file is, or what input values you used, it's hard to say exactly what might be going wrong precisely - please edit the question to provide more info — ADyson, Feb 23 '22 at 18:20
Anyway the main flaw is that you don't need to hash the password received during login. Look again at examples of password_verify usage...you'll find it compares a plain text password against a hashed password. It does not compare two hashes. https://www.php.net/manual/en/function.password-verify.php — ADyson, Feb 23 '22 at 18:24
Reference question and answers: [How to use PHP's password\_hash to hash and verify passwords](https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords) — ADyson, Feb 23 '22 at 18:25
@ADyson Thank you, it's for a university assignment otherwise I would never do it this way. I updated with the input info and whats hashed. I saw in the manual that it compared plain text against a hash, however if I need to hash it for the text file and then fetch the info from the textfile I dont see how I can get it in plain text.. Thanks for your help Ill have a look at the links you sent — Taipan, Feb 23 '22 at 18:30
`it's for a university assignment otherwise I would never do it this way`...why would that make any difference? Serious question. You can still use a database, even if it's Sqlite — ADyson, Feb 23 '22 at 18:31
`I dont see how I can get it in plain text`...no, its the password the user enters at login time which has to be plain text. Then you compare that to the stored hash. Read the links I gave — ADyson, Feb 23 '22 at 18:32
Currently your code hashes the password no matter which button was pressed. You need to change it so it only hashes it when registering. For login, just keep it as plain text — ADyson, Feb 23 '22 at 18:33
@ADyson Thanks for your help, I shuffled some things around, and it is now working :) — Taipan, Feb 23 '22 at 18:49
Great. But don't overwrite the original code with the fixed version, it makes a nonsense of all the comments and answers. I've rolled it back for you. Since the question is closed you could edit it to add some details of your solution as extra info, but it's hardly necessary since the solution is clear from the answers and comments and the nominated duplicate question — ADyson, Feb 23 '22 at 18:58
@ADyson alright, im new to SO aswell so I appreciate the feedback. Thanks for your help — Taipan, Feb 23 '22 at 19:00
No problem. Take the [tour] if you're unsure how it all works — ADyson, Feb 23 '22 at 19:01

score 1 · Accepted Answer · answered Feb 23 '22 at 18:29

There's too much hashing here.

When registering a user you store the unhashed user name and the password hashed with password_hash()

When logging in you use the unhashed user name to recover the hashed password for that user, then use password_verify() to compare the unhashed password the user has given you with the hashed password you stored.

password_hash() adds a random salt to the password and stores the salt and the generated hash in the resulting string. Even if you hash the same password twice you'll get a different result each time.

Thank you, I shuffled some things around and I'm now only hashing when the user registers. What's entered in the txt file is then compared to the login input using password_verify and everything works. — Taipan, Feb 23 '22 at 18:51

Hashing and verifying user in login form PHP

1 Answers1