Password Inset Only Works Live

[mmarkym 0]

Within the register.php file there's an INSERT statement that inserts a record into the users table of the database. My password is only inserted locally. When I go live and try to register, the pass field in the db is blank. I'm using the library with the password.php in it and have included that above the INSERT statement.

 

mark

[HartleySan 826]

Welcome to the forums, Mark.

Could you please provide the relevant code?

Thank you.

[mmarkym 0]

if ($rows === 0)

{

	include('includes/lib/password.php');

	$q = "INSERT INTO users (username, email, pass, first_name, last_name, date_expires) VALUES ('$u', '$e', '"  .  password_hash($p, PASSWORD_BCRYPT) .  "', '$fn', '$ln', SUBDATE(NOW(), INTERVAL 1 DAY) )";

	$r = mysqli_query($conn, $q);

	if (mysqli_affected_rows($conn) === 1)

{

[HartleySan 826]

How many characters does the password_hash function call resolve to, and what is the password column in the DB set as?

[mmarkym 0]

I'm not sure what you mean by "How many characters does the password_hash function call resolve to" but the pass field in the db is set to VARCHAR (255).

 

mark

[Antonio Conte 426]

Are you sure your Live server PHP version supports password_hash()? It ships with PHP 5.0.0, but won't be available in lower versions of PHP. You can check this by adding phpinfo(). If it doesn't exists, you'll need to upgrade PHP or switch hashing function.

 

Edit: You can also check for errors by adding these lines to the top of your script:

ini_set('display_errors', 1);
ini_set('error_reporting', -1);

[HartleySan 826]

Antonio, I think that password_hash is supported in PHP >= 5.5. (Reference: http://www.php.net/manual/en/function.password-hash.php)

 

However, he seems to be including password.php, which contains the polyfill for the function in older versions of PHP.

 

Anyway, Mark, have you tried echoing both $p and password_hash($p, PASSWORD_BCRYPT) out to the screen?

Do you get what's expected?

 

Also, I would follow Antonio's advice and get the error reporting going.

It'll help.

[mmarkym 0]

If I echo $p and password_hash($p, PASSWORD_BCRYPT), I get the $p but nothing with password_hash($p, PASSWORD_BCRYPT). I also added phpinfo() and could not find password_hash only md3 and sha1

 

mark

[HartleySan 826]

Does password.php define a function called password_hash?

[mmarkym 0]

yes it does.

 

mark

[HartleySan 826]

I grabbed password.php from the following URL, and then threw it in a folder with the following script, and it seems to work fine:

https://raw.github.com/ircmaxell/password_compat/master/lib/password.php

 

<?php
  include('password.php');
  
  $password = 'You will never crack this!';
  $hash = password_hash($password, PASSWORD_BCRYPT);
  
  echo $password . '<br>' . $hash;

You might want to make sure everything in your script is properly aligned.

[Larry 422]

Mark, what version of PHP is your live server running? And did you follow the instructions in the book for testing support for the password library (on your live server)?