How to validate WordPress generated password in DB using PHP?

I am working with site that is done with WordPress, and I need to add some parts that are outside WP, and to check user login, Logging users outside WP.

I tried with md5 of password but it’s not…

I tried this code:

require_once( 'wp-includes/class-phpass.php' );
$wp_hasher = new PasswordHash( 8, TRUE );
$password = "passwordhere";
$hashed_password = $wp_hasher->HashPassword( $password );
$encryptedpass = md5($hashed_password);

But this is only for first time creating password, and it’s always different.

I need code that can be used in this:

SELECT * FROM wp_customers WHERE email = "ccc@aaa.com" AND password = "<what goes here?>"

Is this possible anyhow?

Thanks.

4 Answers
4

Based on your other question … it sounds like you’re trying to validate a given plaintext password against what’s stored in the database. Here’s the function WordPress uses to do just that:

function wp_check_password($password, $hash, $user_id = '') {
    global $wp_hasher;

    // If the hash is still md5...
    if ( strlen($hash) <= 32 ) {
        $check = ( $hash == md5($password) );
        if ( $check && $user_id ) {
            // Rehash using new hash.
            wp_set_password($password, $user_id);
            $hash = wp_hash_password($password);
        }

        return apply_filters('check_password', $check, $password, $hash, $user_id);
    }

    // If the stored hash is longer than an MD5, presume the
    // new style phpass portable hash.
    if ( empty($wp_hasher) ) {
        require_once ( ABSPATH . 'wp-includes/class-phpass.php');
        // By default, use the portable hash from phpass
        $wp_hasher = new PasswordHash(8, TRUE);
    }

    $check = $wp_hasher->CheckPassword($password, $hash);

    return apply_filters('check_password', $check, $password, $hash, $user_id);
}

First, this plugin checks to see if the MD5 hash of the given password is the same as the stored (hashed) password for a user. It also checks to see if the PHPass hash of the given password is the same as the stored password for a user.

You can follow a similar pattern.

So let’s say you’re given a username and a password from the user and you want to validate them (my_password_validation( $username, $password )). You’ll use the given username to pull a hashed password from the database. Then you compare the hash of the given password to the stored value to see if it’s valid.

Here’s some untested psuedocode:

function my_password_validation( $username, $password ) {
    // Select the users's password hash from the database
    $stored = query( 'SELECT * FROM wp_customers WHERE email=" . $username );

    require_one( "class-phpass.php' );
    $hasher = new PasswordHash(8, TRUE);

    return $hasher->CheckPassword( $password, $stored );
}

If the password you pass in to the function hashes to the same as the stored value, the function will return true. Otherwise it will return false.

Looking at the comments you left on the other question, it seems like you have some other issues, though. To quote:

So I get:

$P$BqVYujC/jqNY4aylZpHi475jwcaSUs1
But how can I compare that with one in DB?

One in DB is:

fa063a4ed35e092a2d4e15c1b6a61871
How to compare those two with MySQL?

I can tell you right now that the password you’re getting from the database was not hashed using the PHPass utility. Those hashes will always resemble the $P$B starting because that’s what tells the system how it was hashed. PHPass is based on Blowfish which uses that kind of a prefix on encrypted strings.

Your fa063... hash looks more like a standard MD5 hash … so if your MD5 hash of the plaintext doesn’t match, then I think you might have the wrong password.

To answer your “how to I compare those two with MySQL” question … you don’t. MySQL is the data store … don’t do any business logic or comparison in the data store. Read data out, then use a PHP script to perform your comparison.

Leave a Comment