I want to use an Android app to send an encrypted password to a PHP file on the server that stores it. This also works so far.

At login I send the encrypted password to the server again and the PHP file should find out if the password is correct.

But if I now if (password_verify($userPassword, $hash)) { }

then the function requires the real password and not an encrypted one. How can I now compare encrypted with encrypted ?

Or do I just have to send the visible password to an SSL server and it's still secure ?

1 Answers

Gekkie On

Does it really matter what the $userPassword actually is? This could be encrypted original as long as that is what you stored the first time...

So just send the encrypted version, hash it (in PHP), store it (in PHP) and later verify that (password_verify($inAndroidHashedPass, $localllyStoredHashFromPHP)) ?