I am having trouble pulling back data from my DB when using a hashed password. I use hash_hmac/sha256 as follows:
function get_password_hash($password){
return hash_hmac('sha256',$password,'xxxxxxx',false);
}
$p is a non-hashed password; with this stored in my database, the below works perfectly:
$loginQuery = $dbc->prepare("SELECT id, username FROM users WHERE (email=? AND pass=?)");
$loginQuery->bind_param('ss',$e,$p);
$loginQuery->execute();
$loginQuery->bind_result($id,$username);
while($loginQuery->fetch()){
$_SESSION['user_id'] = $id;
$_SESSION['username'] = $username;
}
If i update my database to hold the hashed password instead, and update the above to be as follows, the SQL statement brings nothing back from my database.
$pas = get_password_hash($p);
$loginQuery = $dbc->prepare("SELECT id, username FROM users WHERE (email=? AND pass=?)");
$loginQuery->bind_param('ss',$e,$pas);
$loginQuery->execute();
$loginQuery->bind_result($id,$username);
while($loginQuery->fetch()){
$_SESSION['user_id'] = $id;
$_SESSION['username'] = $username;
}
I understand that this is because the database record holds the hashed password in a varbinary field but in my SQL query, I am using a string.
The parameter type options i can use in the prepared statement are String, Blob, Double and Integer; which of these relate to varbinary fields in my DB?
I saw a similar post which suggested a fix using pack() to convert string to binary; how would this work here?
mysqli_real_escape_stringand parameter binding. It's either or, never both.$pasvariable to confirm it's the same value as the hash in your database.falsein your hmac to get a string result, and just use that instead of the binary encoding (which will indeed break when you use bothmysqli_real_escape_stringand parameter binding)hash_hmac()with the fourth parameter set tofalselike you have it returns a regular string, not a binary string.