php - check login

i have a problem with my code, i need to check an hash value in the db, but the hash never match to the stored, so login is not permit 开发者_运维技巧(if i change to normal text it is permit, then the problem is the hash)

I have two alternatives, but none works

first: i don't know what is the problem in this code

<?php 

$db_host = 'localhost';
$db_port = 3306;
$db_user = 'root';
$db_pass = 'xxx';
$db_name = 'emprego';

$db = new mysqli($db_host, $db_user, $db_pass, $db_name, $db_port);
if (mysqli_connect_errno())
fail('MySQL connect', mysqli_connect_error());

require('PasswordHash.php');

$name=mysql_real_escape_string($_POST['name']);

$myPassword = mysql_real_escape_string($_POST['myPassword']);

$pwdHasher = new PasswordHash(8, FALSE);

$hash = $pwdHasher->HashPassword( $myPassword);

($stmt = $db->prepare('select pass from users where username=?'))
|| fail('MySQL prepare', $db->error);
$stmt->bind_param('s', $name)
|| fail('MySQL bind_param', $db->error);
$stmt->execute()
|| fail('MySQL execute', $db->error);
$stmt->bind_result($hash)
|| fail('MySQL bind_result', $db->error);
if (!$stmt->fetch() && $db->errno)
fail('MySQL fetch', $db->error);

if ($pwdHasher->CheckPassword($myPassword, $hash)) {
    echo "yes";
} else {
    echo "no"; 
}

?>

second alternative: the hash never matches because it is generated a new one, i think

<?php 
include("includes/f_banco.php");
conecta ();

require('PasswordHash.php');

$name=mysql_real_escape_string($_POST['name']);

$myPassword = mysql_real_escape_string($_POST['myPassword']);

$pwdHasher = new PasswordHash(8, FALSE);

$hash = $pwdHasher->HashPassword( $myPassword);

$sql="SELECT * FROM users WHERE username='".$name."' and pass='".$hash."' ";
$result=mysql_query($sql);
$row=mysql_fetch_array($result);

if(mysql_num_rows($result)>0){
    echo "yes";
}
else
echo "no"; 

?>

any help? i just need one of both.

Thanks :)

First of all you tagged your question as PDO but you're using the mysqli interface. I suggest you actually use PDO.

Some suggestions while lacking more details:

• I don't understand what your "hashing class" does as its code is not written; check that it uses the same hashing algorithm that was used to store the password
• do not escape the password if you're going to hash it anyway
• use the second kind of check (with clauses both on user and pass), it's just more straightforward

Assuming you know how the password was originally hashed before being saved to the database, just repeat the same process. If no salt was used, then don't use any salt during the check. If sha1() was used rather than md5(), then directly use that function and drop the external class (unless you need any other functionality from it).

solved with this code

 <?php

require '../PasswordHash.php';

$db_host = 'localhost';
$db_port = 3306;
$db_user = 'root';
$db_pass = 'xxx';
$db_name = 'emprego';

$hash_cost_log2 = 8;

$hash_portable = FALSE;

$debug = TRUE;


function get_post_var($var)
{
    $val = $_POST[$var];
    if (get_magic_quotes_gpc())
        $val = stripslashes($val);
    return $val;
}

$user = get_post_var('name');
$pass = get_post_var('myPassword');

$db = new mysqli($db_host, $db_user, $db_pass, $db_name, $db_port);
if (mysqli_connect_errno())
    fail('MySQL connect', mysqli_connect_error());

$hasher = new PasswordHash($hash_cost_log2, $hash_portable);

    ($stmt = $db->prepare('select pass from users where username=?'))
        || fail('MySQL prepare', $db->error);
    $stmt->bind_param('s', $user)
        || fail('MySQL bind_param', $db->error);
    $stmt->execute()
        || fail('MySQL execute', $db->error);
    $stmt->bind_result($hash)
        || fail('MySQL bind_result', $db->error);
    if (!$stmt->fetch() && $db->errno)
        fail('MySQL fetch', $db->error);

    if ($hasher->CheckPassword($pass, $hash)) {
        $what = 'yes';
    } else {
        $what = 'no';
    }

echo "$what";

?>