Jump to content


Photo

Need help with password_verify()

password_verify()

Best Answer mac_gyver, 29 October 2013 - 11:22 AM

if you correctly generated the hash (using password_hash()) and stored that hashed value in your ExaminerPassword column, your query will never match a row because ExaminerPassword will never equal $password.

 

your query should only try to find rows with the correct ExaminerUsername. your logic using password_verify() is what tests if the hash of the $password matches the value from the ExaminerPassword column.

Go to the full post


  • Please log in to reply
2 replies to this topic

#1 Hobbyist_PHPer

Hobbyist_PHPer

    Advanced Member

  • Members
  • PipPipPip
  • 119 posts

Posted 29 October 2013 - 11:10 AM

Hello everyone, so I just had PHP 5.5.5 installed on my server so that I could take advantage of the new password hashing API, but I'm having problems, it's not validating as true...

 

Here's my login script code

<?
if (isset($_POST['loginform']))
{
    session_start();
    
    require "../includes/connection.inc";
    require "../includes/functions.php";

    $Uname = clean($_POST['Username']);
    $Username = strtolower($Uname);
    $Password = clean($_POST['Password']);

    $sql = "SELECT ExaminerID, ExaminerName, ExaminerEmail, ExaminerPassword FROM Examiners WHERE ExaminerUsername = ? AND ExaminerPassword = ?";
    if ($stmt = $mysqli -> prepare($sql))
    {
        $stmt -> bind_param("ss", $Username, $Password);
        $stmt -> execute();
        $stmt -> bind_result($ExaminerID, $ExaminerName, $ExaminerEmail, $ExaminerPassword);
        $stmt -> fetch();
        if (password_verify($Password, $ExaminerPassword))
        {
            session_regenerate_id();
            $_SESSION['ExaminerID'] = $ExaminerID;
            $_SESSION['ExaminerName'] = $ExaminerName;
            $_SESSION['ExaminerEmail'] = $ExaminerEmail;
            session_write_close();
            $stmt -> close();
            $mysqli -> close();
            header("location: https://*****************/index.php");
        }
        else
        {
            $stmt -> close();
            $mysqli -> close();
            header("location: login.php?failed");
            exit();
        }
    }
    else
    {
        $stmt -> close();
        $mysqli -> close();
        header("location: login.php?failed");
        exit();
    }
}
?>


#2 mac_gyver

mac_gyver

    Advanced Member

  • Administrators
  • 2,545 posts

Posted 29 October 2013 - 11:22 AM   Best Answer

if you correctly generated the hash (using password_hash()) and stored that hashed value in your ExaminerPassword column, your query will never match a row because ExaminerPassword will never equal $password.

 

your query should only try to find rows with the correct ExaminerUsername. your logic using password_verify() is what tests if the hash of the $password matches the value from the ExaminerPassword column.


multi-purpose programming fool. well written source-code should be self-documenting. well written code should be self-troubleshooting. 


#3 Hobbyist_PHPer

Hobbyist_PHPer

    Advanced Member

  • Members
  • PipPipPip
  • 119 posts

Posted 29 October 2013 - 12:40 PM

Damn, you're right, I see what I did, thanks.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com