PHP and MYSQL password storage

I am going to leave you an example of how to save the password with a secure method password_hash(), I would not apply a md5single one, since there are pages where we can easily decrypt passwords md5, for example.

http://md5cracker.org/

Let's see how it works password_hash(), it creates a new password hash using a strong one-way hash algorithm. password_hash() is compatible with crypt(). Therefore, password hashes created with crypt() can be used with password_hash().

//Obtenemos contraseña desde un form.
$contrasena = $_POST['contra'] ?: '';

//Encriptamos de manera segura la contraseña
$contrasena = password_hash(
                    base64_encode(
                        hash('sha256', $contrasena, true)
                    ),
                PASSWORD_DEFAULT
            );


//Sentencia SQL.
$stmt = $conexion->prepare("INSERT INTO tabla (password) VALUES (?)");

//Ligamos parametros marcadores.
$stmt->bind_param("s",$contrasena);

//Ejecutamos sentencia.
$stmt->execute();

//Cerramos sentencia.
$stmt->close();

Now we see how we can verify the inserted password with hash_equals.

hash_equals— Secure string comparison against timing attacks

$contrasena = $_POST['contra'] ?: '';    

//Encriptamos de manera segura la contraseña
$contrasena = password_hash(
                    base64_encode(
                        hash('sha256', $contrasena, true)
                    ),
                PASSWORD_DEFAULT
            );

//Sentencia SQL
$stmt = $conexion->prepare("SELECT password FROM tabla WHERE password = ?";

//Ligamos parametros marcadores.
$stmt->bind_param("s",$contrasena);

//Ejecutamos sentencia.
$stmt->execute();  

$stmt->store_result();
if($stmt->num_rows===1) {

    $stmt->bind_result($contrasenaBD);
    $stmt->fetch();
    $stmt->close();

   if (hash_equals($contrasena,$contrasenaDB) {
      //Hacemos algo.
   }        

} else { $stmt->close(); }

Example to your second question.

if(isset($_REQUEST["login_pass"])){$login_pass = $_REQUEST["login_pass"];}else{$login_pass = "";}
require 'conexion.php';

$login_pass = "2000000";

$contrasena = password_hash(
    base64_encode(
        hash('sha256',$login_pass, true)
    ),
    PASSWORD_DEFAULT
);

//password_verify — Comprueba que la contraseña coincida con un hash, asique no debes volver a hashearla con password_hash.

$sql_in="SELECT LIDER_EXPLOIT FROM LIDERES WHERE LIDER_EXPLOIT ='".$contrasena."'";

$result = mysqli_query($conn,$sql_in);
$row=mysqli_fetch_array($result);

//Comprobación -> Contraseña -> OK
if (password_verify(
        base64_encode(
            hash('sha256', $login_pass, true)
        ),
        $row["LIDER_EXPLOIT"]
)) {

  echo 'es igual';
}
else
{
  echo 'no es igual';
}

It is really not recommended to save a password that can be decrypted so easily. If in the end the password can be cracked by a common method, what is the point of keeping it encrypted?

What is usually done is to save the encrypted password (with MD5 or SHA1 for example) and then when making a comparison, the string to be compared is written and compared with the encrypted password that has been stored in the database. You can do this encryption at the PHP or MySQL level using the MD5 or SHA1 functions. I leave you a link where they talk about this topic at the end: http://blog.aulaformativa.com/consultorio-desarrollo-web/

Like the password, it encrypts password_hashit with and returns a string like:

$2y$10$Wvx7Sdsbt7L7BiGC0QuxYeqQVaGSsTd.NxQ9JMAbMNOK6zic2WkaO

There is a function to compare if a hash corresponds to a password that is entered in plain text. password_verifyreturns TRUEor FALSE.

$hash = '$2y$10$Wvx7Sdsbt7L7BiGC0QuxYeqQVaGSsTd.NxQ9JMAbMNOK6zic2WkaO';

if(password_verify('123456', $hash)){
    echo 'Contraseña correcta.';
} else {
    echo 'Contraseña incorrecta.';
}

Good morning.

What I do to encrypt the passwords in saving them in MD5, I use: $password = md5($_POST['password'])and to insert I do:

insert into tabla values ($password);

To make the query, I would

select password from tabla where password = $password;

With what they told me I was able to put together this code:

I entered the passwords already hashed, they are already like this in the database, I made this code:

require 'conexion.php';
$sql = "SELECT LIDER_NOMINA FROM LIDERES";
$result = mysqli_query($conn,$sql);
while ($row=mysqli_fetch_array($result))
{
  $sql_in="UPDATE LIDERES SET LIDER_EXPLOIT =
  '".password_hash(base64_encode(hash('sha256',$row["LIDER_NOMINA"])),PASSWORD_DEFAULT)."' WHERE LIDER_NOMINA = '".$row["LIDER_NOMINA"]."'";
  mysqli_query($conn,$sql_in);
}

Now I want to compare the passwords, like for example a 2000000. I put together the code like this:

if(isset($_REQUEST["login_pass"])){$login_pass = $_REQUEST["login_pass"];}else{$login_pass = "";}
require 'conexion.php';

$login_pass = "2000000";

$contrasena = password_hash(
    base64_encode(
        hash('sha256',$login_pass, true)
    ),
    PASSWORD_DEFAULT
);

$sql_in="SELECT LIDER_EXPLOIT FROM LIDERES WHERE LIDER_EXPLOIT ='".$contrasena."'";

$result = mysqli_query($conn,$sql_in);
$row=mysqli_fetch_array($result);
if (password_verify($contrasena,$row["LIDER_EXPLOIT"]))
{
  echo 'es igual';
}
else
{
  echo 'no es igual';
}

But I have not been able to do it, it returns me that "it is not the same", what did I do wrong?