3

Im trying to compare a hashed password value in a mysql database with the hashed value of an inputted password from a login form.

However, when I compare the two values it says they aren't equal. I removed the salt to simply, and then tested what the outputs were and got the same values

$password1 = $_POST['password'];
$hash = hash('sha256', $password1);
...connect to database, etc...
$query = "SELECT *
    FROM users
    WHERE username = '$username1'";
$result = mysql_query($query);
$userData = mysql_fetch_array($result);
if($hash != $userData['password']) //incorrect password
{
    echo $hash."|".$userData['password'];
   die();
}
...other code...

Sample output:

7816ee6a140526f02289471d87a7c4f9602d55c38303a0ba62dcd747a1f50361| 7816ee6a140526f02289471d87a7c4f9602d55c38303a0ba62dcd747a1f50361

Any thoughts?

Improve this question
1
  • Strange problem you have encountered. What is the output of var_dump($hash) and var_dump($userData['password'])? Commented Jul 20, 2011 at 22:08

5 Answers 5

Reset to default
3

I was having the exact same problem. var_dump() was telling me that I had two variables with the same properties, string(128). The only way I was able to get the comparison to work was to cast the hashed values as strings:

$password1 = $_POST['password'];
$hash = (string)hash('sha256', $password1);
...
$userData = (string)mysql_fetch_array($result);

if($hash == $userData) {
  //This should return true.
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Try using strcmp. String comparisons with == or != rarely go well.

if(strcmp($hash, $userData['password']) != 0) {
    //this would be where the password was incorrect.
}

It may very well be treating it as a number for some reason and failing the comparison.

Improve this answer

2 Comments

This is going to be a strange, last ditch effort, but try replacing mysql_fetch_array($result); with mysql_fetch_array($result, MYSQL_ASSOC);. This really shouldn't be the source of your troubles, but PHP is a many weird things.
Didn't work either. I dont understand since the outputs are showing the exact same values each time I test
0

Try switching != to == and switch content. Like this

if($hash == $userData['password']) //incorrect password
{
    //proc login...
}
else
{
    echo $hash."|".$userData['password'];
   die();

}

I'm not sure why is that happening but you can be sure it will work in my case

EDIT: you did something wrong in your case. works for me

Improve this answer

3 Comments

I can't think of what else it could be. When I output the two values they are identical, tried changing the order to
I'm not sure why does it happen. Did you tried my first code?
tried your code in a separate file and it worked, then did the exact same on my login script with my hashed values and it didnt work
0

== is an object hashcode comparison, you need to use a strcmp function to compare string literals.

Improve this answer

1 Comment

didn't work even with if(strcmp($hash, $userData['password']) == 0)
0

Not sure if you ever got this solved but I just wasted 30 minutes with the exact same problem. Turns out my mysql value had an extra space at the end. It was a test user I manually added to the database and somehow got an extra space when copying and pasting the hashed password.

Not sure if this applies to your situation or not but I thought I'd share anyway.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.