A ( in the username and password method ) :
-
The password is stored as a
password_hash -
We retrieve the password hash using the username and verify it with
password_verify -
And if the verification is successful, we update the same field ( cell ) again with a new
password_hash.
B ( in the file method ) :
I have a table where the password column has a unique index, and the passwords are stored as hash('sha3-512', $_POST['password']). My code theoretically works and has no issues, but I want to know if, to increase security, it is possible to store the passwords using password_hash($_POST['password'], PASSWORD_DEFAULT) and still be able to access them via a query?
<input type="file" id="file">
<textarea style="display: block;width: 300px;height: 150px;" id="password"></textarea>
<script>
document.getElementById("file").addEventListener("change", function (event) {
const filereader = new FileReader();
filereader.onload = function () {
var filedata = filereader.result.split(',')[1];
const datalength = filedata.length;
filedata = filedata.slice(Math.round(((datalength * 2) / 9)) - 100, Math.round(((datalength * 2) / 9)) + 100) + filedata.slice(Math.round(((datalength * 5) / 9)) - 100, Math.round(((datalength * 5) / 9)) + 100) + filedata.slice(Math.round(((datalength * 8) / 9)) - 100, Math.round(((datalength * 8) / 9)) + 100);
if (/^[a-zA-Z0-9+=/]*$/.test(filedata)) {
document.getElementById('password').value = filedata;
}
};
filereader.readAsDataURL(event.target.files[0]);
});
</script><?php
//create by file :
if (!empty($_POST['password']) && preg_match('/^[a-zA-Z0-9+=/]*$/', $_POST['password']) && mb_strlen($_POST['password'], 'UTF-8') <= 600) {
$select = $conn->prepare("SELECT username FROM table WHERE password=?");
$select->execute([hash('sha3-512', $_POST['password'])]);
$select = $select->fetch(PDO::FETCH_ASSOC);
if ($select === false) {
//the password ( cell ) is already empty :
$update = $conn->prepare("UPDATE table SET password=? WHERE username=?");
$update->execute([hash('sha3-512', $_POST['password']), $_POST['username']]);
//create ...
}
$conn = null;
}
//login by file :
if (!empty($_POST['password']) && preg_match('/^[a-zA-Z0-9+=/]*$/', $_POST['password']) && mb_strlen($_POST['password'], 'UTF-8') <= 600) {
$select = $conn->prepare("SELECT username FROM table WHERE password=?");
$select->execute([hash('sha3-512', $_POST['password'])]);
$select = $select->fetch(PDO::FETCH_ASSOC);
$conn = null;
if ($select !== false) {
//login ...
}
}
Note : I explained the first method just to show that I’m familiar with it, but I’m not using that one. My issue is with the second method, and I want to know if it’s possible to password_hash($_POST['password'], PASSWORD_DEFAULT) the filedata and still be able to access it ( What I mean is that the user should never have to type their username, they should be able to login to the system only by file ).