Since md5 will be deprecated at some point (if it isn't already), and will soon pass away, I thought I should think about of another way of securing passwords. I've been thinking about phpass for a while and decided to jump in feet first. I am pretty sure that I understand the concept but my code isn't working for some reason. Like yet again, I need another pair of eyes to see what I am not seeing at the moment. Below is the code:

$hash_cost_log2 = 8;
$hash_portable = FALSE;
$hasher = new PasswordHash($hash_cost_log2, $hash_portable);

$user = strtolower( pmdb::connect()->escape($_POST['username']) );
$pass = pmdb::connect()->escape($_POST['password']);

$query = pmdb::connect()->query("SELECT user_id, username, password FROM ". DB ."members WHERE username = '$user');
$results = $query->fetch_array();

if( isset($_POST['login']) ) {

            if($hasher->CheckPassword( $pass, $results['password']) ) {
                $_SESSION['logged'] = 1; // Sets the session.
                $_SESSION['username'] = $results['username']; // Sets the username session.
                $_SESSION['userID'] = $results['user_id'];
                $_SESSION['remember_me'] = $_POST['remember_me']; // Sets a remember me cookie if remember me is checked.

Sorry, I should mention that the above code is for login. Below is what I use in changepassword.php:

$hash_cost_log2 = 8;
$hash_portable = FALSE;

$hasher = new PasswordHash($hash_cost_log2, $hash_portable);
$hash = $hasher->HashPassword(pmdb::connect()->escape($_POST['password']));

// Enable for error checking and troubleshooting.
# display_errors();

if($_POST) {
    pmdb::connect()->update(DB . "members", array('password' => $hash), array('username',$_SESSION['username']));

Edited by joshmac

5 Years
Discussion Span
Last Post by joshmac
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.