You are here

function user_check_password in Drupal 7

Check whether a plain text password matches a stored hashed password.

Alternative implementations of this function may use other data in the $account object, for example the uid to look up the hash in a custom table or remote database.

Parameters

$password: A plain-text password

$account: A user object with at least the fields from the {users} table.

Return value

TRUE or FALSE.

3 calls to user_check_password()
PasswordHashingTest::testPasswordHashing in modules/simpletest/tests/password.test
Test password hashing.
user_authenticate in modules/user/user.module
Try to validate the user's login credentials locally.
user_validate_current_pass in modules/user/user.module
Form validation handler for the current password on the user_account_form().

File

includes/password.inc, line 234
Secure password hashing functions for user authentication.

Code

function user_check_password($password, $account) {
  if (substr($account->pass, 0, 2) == 'U$') {

    // This may be an updated password from user_update_7000(). Such hashes
    // have 'U' added as the first character and need an extra md5().
    $stored_hash = substr($account->pass, 1);
    $password = md5($password);
  }
  else {
    $stored_hash = $account->pass;
  }
  $type = substr($stored_hash, 0, 3);
  switch ($type) {
    case '$S$':

      // A normal Drupal 7 password using sha512.
      $hash = _password_crypt('sha512', $password, $stored_hash);
      break;
    case '$H$':

    // phpBB3 uses "$H$" for the same thing as "$P$".
    case '$P$':

      // A phpass password generated using md5.  This is an
      // imported password or from an earlier Drupal version.
      $hash = _password_crypt('md5', $password, $stored_hash);
      break;
    default:
      return FALSE;
  }
  return $hash && $stored_hash == $hash;
}