I am using PHPASS to store password encrypted and compare when login.

here is the code

$userName = $password = "";
$userNameErr = $passwordErr = $loginErr = "";
$hasher = new PasswordHash(8, false);

if (isset($_POST['subEmployee'])) {
    if (empty($_POST['user_name'])) {
        $userNameErr = "User name is required";

    } else {
        $userName = check_input($_POST['user_name']);
        if (!preg_match("/^[0-9_a-zA-Z]*$/", $userName)) {
            $userNameErr = "Only letters, numbers and '_' allowed";
    if (empty($_POST['password'])) {
        $passwordErr = "Password is required";
        $password = check_input($_POST['password']);

    $active = 1;
    $loginUser = $db->prepare("SELECT password FROM users WHERE user_name=? AND activity=?");
    $loginUser->bind_param('si', $userName, $active);
    if ($loginUser->execute()) {
        $results = $loginUser->get_result();
        if ($results->num_rows == 1) {
            $row = $results->fetch_object();
            $stored_hash = "*";
            $stored_hash = $row->password;
            $check = $hasher->CheckPassword($password, $stored_hash);
            if ($check) {
                $_SESSION['name'] = $row->first_name;
                $_SESSION['userId'] = $row->id;
                $_SESSION['user'] = 1;
            } elseif (!empty($_POST['user_name']) && !empty($_POST['password'])) {
                $loginErr = "'Invalid Login Information'";

so far it always give the same message 'Invalid Login Information' I have made the registration form that store my password like this.

$hasher = new PasswordHash(8, false);
$hash = md5(rand(0, 1000));

if (empty($_POST['password'])) {
        $error ['passwordErr'] = "Password is required";
    } elseif (strlen($_POST['password']) < 8) {
        $error ['passwordErr'] = "<span class='notAllowed'>Chose password with at last eight characters</span>";
    } elseif (strlen($_POST['password']) > 72) {
        $error ['passwordErr'] = "<span class='notAllowed'>Password max 72 characters</span>";
    } elseif ($_POST['password'] !== $_POST['confirm']) {
        $error ['passwordErr'] = "Password don't matching";
    } else {
        $password = $hasher->HashPassword($password);

when I checked my database the password seems hashed to me and the user name is there and everything is alright

but still getting this message as 'Invalid Login Information'.

does this two lines is right

$loginUser = $db->prepare("SELECT password FROM users WHERE user_name=? AND activity=?");
    $loginUser->bind_param('si', $userName, $active);

does the login code OK.


2 Years
Discussion Span
Last Post by diafol

Not familiar with PHPass, Any reason you're using md5? It's generally accepted that it's past it's sell by date. Not recommended.

If you have php 5.5.0+, then you may wish to consider password_hash() and password_verify() using something like BCRYPT with a "cost" of 11 or 12.

Edited by diafol


Thanks for reply but what to do if I am using PHP 5.3.29 any other idea
thanks again


Are you not able to shift your version up a few notches?

14 Aug 2014
The PHP development team announces the immediate availability of PHP 5.3.29. This release marks the end of life of the PHP 5.3 series. Future releases of this series are not planned. All PHP 5.3 users are encouraged to upgrade to the current stable version of PHP 5.5 or previous stable version of PHP 5.4, which are supported till at least 2016 and 2015 respectively.

Anyway, you can use https://github.com/ircmaxell/password_compat (thanks to veedeoo for the link).

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.