Carlos1973

Thanks (for the sarcasm) Barand - I got that bit, but what I didn't pick up was that verify works on hashed passwords only, not unhashed ones. Still, we aren't all lucky enough to pick it all up in one morning the way you did. Also - there's a manual? Thanks Requinix - that was my problem; (note to self: password_verify is verifying the hash - not the password behind it). Rookie mistake.

Thanks again - I didn't realise that password_verify() was intrinsically linked to password_hash and thought that it would do the same regardless of hashing / salting. I'll switch it back and see how I get on,.

Hi, I plan to use password_hash, but at the moment I'm just storing a varchar. I changed it as part of the troubleshooting when I started getting this error, but the format has made no difference, should I change it back? Thanks for the tip on prepared statements, I'll look at it now.

Hi, I am trying to set up a useername / password validation log in for a website - code below. I'm fairly new to php, so my understanding of what I have done is: config and env pick up some basic info including the servername, username, password and dbname for the connection, $_POST["username"] and $_POST["pwd"] are the values entered by the user on a previous log in page. Users is queried to bring back the data in $sql where the posted username ($userid) matches the UserName in the table. This is then checked to ensure there is one row returned - if not we go to test3.php If there is one row, the password entered on the log in ['pwd'] is compared to the password in the table. If they match we go to test1.php If they don't we go to test2.php test1.php test2.php and test3.php are holding pages which just display "Success", "incorrect password" or "No User" to check that this codeworks and will be replaced later. When I go through the login page and put an invalid user name, I get sent to test3.php - this is correct. However, if a put in a valid user name and a password, I get sent to test2.php (incorrect password) regardless of the password used being correct or not. Which makes me think the validation is not working. This is the code from the input page for username & password: <div style="display: table-row"> <div style="display: table-cell" class="w3-padding"> <label>User ID:</label> <input class="w3-input w3-text-black" name="username" required> </div> <div style="display: table-cell" class="w3-padding"> <label>Password:</label> <input class="w3-input w3-text-black" type="password" name="pwd" required> </div> </div> Thanks in advance for any assistance. <?php //get config and environment files - includes session script and database ID require_once("config.php"); require_once("env.php"); // Create connection $conn = new mysqli($servername, $username, $password, $dbname); // Check connection if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } $userid = $_POST["username"]; $sql = "SELECT UserID, UserName, Psswrd, FirstName, LastName, UserType FROM Users WHERE UserName = '$userid';"; $result = $conn->query($sql); $row = mysqli_fetch_assoc($result); if ($result->num_rows == 1) { $pwcheck = $row['Psswrd']; if(password_verify($_POST["pwd"],$pwcheck)) { header("Location: test1.php"); exit(); }else { header("Location: test2.php"); exit(); } }else { header("Location: test3.php"); exit(); } ?>