Since md5 will be deprecated at some point (if it isn't already), and will soon pass away, I thought I should think about of another way of securing passwords. I've been thinking about phpass for a while and decided to jump in feet first. I am pretty sure that I understand the concept but my code isn't working for some reason. Like yet again, I need another pair of eyes to see what I am not seeing at the moment. Below is the code:
$hash_cost_log2 = 8;
$hash_portable = FALSE;
$hasher = new PasswordHash($hash_cost_log2, $hash_portable);
$user = strtolower( pmdb::connect()->escape($_POST['username']) );
$pass = pmdb::connect()->escape($_POST['password']);
$query = pmdb::connect()->query("SELECT user_id, username, password FROM ". DB ."members WHERE username = '$user');
$results = $query->fetch_array();
if( isset($_POST['login']) ) {
if($hasher->CheckPassword( $pass, $results['password']) ) {
$_SESSION['logged'] = 1; // Sets the session.
$_SESSION['username'] = $results['username']; // Sets the username session.
$_SESSION['userID'] = $results['user_id'];
$_SESSION['remember_me'] = $_POST['remember_me']; // Sets a remember me cookie if remember me is checked.
}
}
Sorry, I should mention that the above code is for login. Below is what I use in changepassword.php:
$hash_cost_log2 = 8;
$hash_portable = FALSE;
$hasher = new PasswordHash($hash_cost_log2, $hash_portable);
$hash = $hasher->HashPassword(pmdb::connect()->escape($_POST['password']));
// Enable for error checking and troubleshooting.
# display_errors();
if($_POST) {
pmdb::connect()->update(DB . "members", array('password' => $hash), array('username',$_SESSION['username']));
}