Checking for a hashed value in a query?

Why didn't you try this:

$password = Hash::make('plaintext');
$result = Model::wherePassword($password)->first();

@bart because Hash::make() will return a different hash each time?

That's true, sorry about that. Why couldn't you use the Hash:check() method?

Are you searching for passwords? Whut? :P

Without knowing what you want it for, this is where you check if it matches?

if (Hash::check('secret', $hashedPassword))
{
    // The hashed values match...
}

http://laravel.com/docs/4.2/security#storing-passwords

I need to be able to query by this value, so Hash::check doesn't work since it returns a boolean... seems my only option is to use another (less secure than bcrypt) method of hashing?

It's in the nature of the algorithm itself. You can't search for a salted hash - that's the idea behind it. Different hashes will be generated with the same input. So the answer is: You have to use another hashing algorithm which always returns the same output. And last but not least is less secure.

Maybe you can tell us something about your intention. Why do you wanna do such an unusual query?

Have a look at how Auth::attempt() works, that must do partly what you're looking for.

https://github.com/laravel/framework/tree/4.2/src/Illuminate/Hashing

@bart I am storing sensitive personal information (government issued ID # in this case) and need administrators to have the ability to search by (and edit) such information. I've been storing an encrypted value, but when searching tons of records also storing a hash makes sense. Thanks for the explanation about bcrypt, I wasn't realizing it was like that always.

@bashy thank you for the link, looking at the Hashing class provides some nice insights as to the PHP behind it. I looked around the code for the Auth::attempt() method as well and it appears that the record is found given the other (non-password) credentials, and then the Hash::check() method is called separately... so it's still not part of the query. After learning the nature of bcrypt, that certainly makes sense. It's unfortunately looking like I'll need to salt+hash using another more insecure algorithm to achieve what I want in this case.

Indeed, I didn't look too far into it but this is interesting

/**
  * Check the given plain value against a hash.
  *
  * @param string $value
  * @param string $hashedValue
  * @param array $options
  * @return bool
  */
public function check($value, $hashedValue, array $options = array())
{
    return password_verify($value, $hashedValue);
}

I have founded this answer very helpful. You can check this out http://stackoverflow.com/questions/27703626/comparing-hashed-values-to-check-whether-it-is-equal.

There is no way of defining the bcrypt salt somewhere ? It would still be secure because nobody should know which salt you are using but it would generate constant hashes.

@austenc Why don't you use http://laravel.com/docs/5.1/encryption ? I guess you also need to show that data somewhere in admin - you need encrypt/decrypt, right?

@developeritsme this is a pretty old thread. I looked at using the encryption library, but that would not have been very efficient query-wise. You'd have to query all the rows and then filter (decrypt) them. What I ended up doing is storing both an encrypted version of the value, and a hashed version of the value + salt string that I put in config which is the same every time. Now I can allow efficient searches for this value (just a simple WHERE clause) and have access to the decrypted version for edits once I've got that row's id.

Holy sh** that was a eight months bump

@austenc I have a similar need, where did you end up landing with this? Thanks!