I'm rewriting all of our scripts to use the PHP5.5 password_hash. My question is authenticating a user, I have to pull out the users hashed password before I can authenticate them. I've always been under the impression that it's bad practice to ever pull a password out regardless of if it's hashed. Am I missing something here?
Huh? you can do a query with the HASH of the entered password and compare it to the stored hash? never try to make a password from a hash... as it won't work!!
But if I hash it with password_hash, it creates a new hash and won't be the same as the one in the db? Here's where I'm at: <?php $statement = $dbconn->prepare("SELECT id, fname, sname, email, temppass, postcode, agerange, sex, regdate FROM users WHERE email = :email"); $statement->execute([":email" => $_GET['email']]); $row = $statement->fetch(PDO::FETCH_ASSOC); if (password_verify($_GET['pass'],$row['pass'])){ $message = [ "users" => [[ 'id' => $row['id'], 'fname' => $row['fname'], 'sname' => $row['sname'], 'email' => $row['email'], 'temppass' => $row['temppass'], 'postcode' => $row['postcode'], 'agerange' => $row['agerange'], 'sex' => $row['sex'], 'regdate' => $row['regdate'] ]]]; echo json_encode($message); }else { $message = [ "login" => [[ "error" => "Incorrect details" ]]]; echo json_encode($message); } ?> PHP: I just don't like pulling that hashed password out but I'm not seeing any other way using password_verify...
Yeah, you gotta pull it. It's okay, but I wouldn't store it in a session or elsewhere after pulling it.
He's using PHP's password_hash function, which is better than a simple MD5 hash. That's the reason he said it's less secure.