Search the Community

I have been working on a login form, I have completed the registration side but the login form is proving to be fighting back. I have just jumped into the world of PDO and only recently PHP in a serious way. I have been trying to use the password_verify(); function but I have spent so long on it now trying to get it working I have made it more difficult than it should be and probably is. I would be grateful if someone could take a look at my code and just tell me what I am doing wrong. I have tested it with the username and password hard coded in and it returns an array however if I comment out the hard coded username and password I get an empty array. I dare say that someone will see the issue straight away but I cannot get my head round it. <?php session_start(); error_reporting(0); require '../php_inc/connection/connect.php'; require_once '../php_inc/functions.php'; $error = ''; // all error messages will use this variable $msg = 'Please fill in both fields and answer the captcha, they are all required to log in.'; if(isset($_POST['submitted'])){ $dbuname = 'dashby'; // As if check with DB - If I comment these 2 out and try to get data from DB I get empty array $hashed = '$2y$12$7hcyfm7UjboYGaNLF7vK1.qroo3YkvhKAR8EfxG1byEMkNB0oSQgi'; // As if check with DB - same password require 'Captcha.php'; $username = escape_in($_POST['username']); // Username $captcha = escape_in($_POST['captchaResult']); //Captcha $unhashed = escape_in($_POST['password']); //Password b4 hashing takes place //$submittedPassword = password_hash($unhashed, PASSWORD_DEFAULT, ['cost' => 12]); // connect to the database so the checks can be done. if($pdo){ $stmt = $pdo->prepare("select * from users where username = :username && password = :password"); $stmt->bindParam(":username", $username); $stmt->bindParam(":password", $unhashed); // If $hashed is the variable I get an array returned, as $unhashed I get an empty array echo '<pre>'; if($stmt->execute()){ $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); print_r($rows); } } echo '</pre>'; if($total == $getCaptchaResults){ //Capcha OK if(password_verify($unhashed, $hashed)){ //$msg = ''; //$error .= 'Password match'; if($username == $dbuname){ //$msg = ''; //$error .= 'Captcha, username and password ok'; // working to this point $_SESSION['username']; //header('Location: welcomelogged.php'); } else { $msg = ''; $error .= 'Denied wrong username and/or password'; } } else { $msg = ''; $error .= 'Denied wrong password and/or username'; } } else { if(($total != $getCaptchaResults)){ $msg = ''; $error .= 'Captcha Wrong'; } } }// post submitted brace ?> The if statements all work bar the password_verify when I comment out the hard coded variables out, directly under if(isset($_POST['submitted'])) {} I would be grateful if someone could steer me in the right direction. Thanks in advance.

I have an old website with users and password (not hashed) and want to import them into mysql, then run a script to create a new user_password_hash and update the database: what I tried is something like this: require 'application/config/config.php'; #Define Connection String Using PDO. $dbh = new PDO('mysql:host='.DB_HOST.';dbname='.DB_NAME.';charset=utf8',DB_USER,DB_PASS); $sth = $dbh->prepare("SELECT user_id, password, user_password_hash FROM users"); $sth->execute(); $result = $sth->fetchAll(); foreach($result as $key => $value) { $query = "UPDATE users SET user_password_hash = password_hash('result.password', PASSWORD_DEFAULT) WHERE user_id = 'result.user_id'"; } echo 'Done'; but not working tried it a few different ways but unsuccessfully frustrating, new to php, used cfm in the past, trying to get my php feet wet !!! any suggestions are appreciated !!!

Hi I'm quite newbie with php. Im trying to add password change to existing login script and stuck on a problem with password change code. May be someone could help me out here please. Can't figure out where is the problem, why it doesn't insert the hashed password - getting some error after submit ( blank page). i noticed problem is between lines 32 and 47 I've tried with md5 and it worked (inserted md5 pwd into DB) but my login don't recognise md5 as it reads password_hash passwords. <?php session_start(); include('menu.php'); require_once('../config/db.php'); //strip and trim slashes function clear($message) { if(!get_magic_quotes_gpc()) $message = addslashes($message); $message = strip_tags($message); $message = htmlentities($message); return trim($message); } // include the configs / constants for the database connection $con = mysql_connect(DB_HOST, DB_USER, DB_PASS) or die("Could not connect: " . mysql_error()); mysql_select_db(DB_NAME); if(!$_GET['user_id']) { $query = mysql_query("SELECT * FROM users ORDER BY user_id DESC") or die(mysql_error()); } else { if ($_POST['submit']) { $user_name = clear($_POST['user_name']); $user_fname = clear($_POST['user_fname']); $user_lname = clear($_POST['user_lname']); $user_id = $_GET['user_id']; $user_password = $_POST['newpassword']; $newpassword = $_POST['newpassword']; $repeatnewpassword = $_POST['repeatnewpassword']; // crypt the user's password with PHP 5.5's password_hash() function, results in a 60 character // hash string. the PASSWORD_DEFAULT constant is defined by the PHP 5.5, or if you are using // PHP 5.3/5.4, by the password hashing compatibility library $user_password_hash = password_hash($newpassword, PASSWORD_DEFAULT); //check two new passwords if ($newpassword==$repeatnewpassword) { //successs //change password in db mysql_query("UPDATE users SET user_password_hash='$newpassword', user_name='$user_name', user_fname='$user_fname', user_lname='$user_lname' WHERE user_id='$user_id'"); mysql_close(); die("Your password has been changed. <a href='index.php'> Return</a>"); } else die("New password doesn't match!"); } else { $user_id = $_GET['user_id']; $query = mysql_query("SELECT * FROM users WHERE user_id='$user_id'"); $row = mysql_fetch_assoc($query); ?> <form action="?user_id=<?php echo $row['user_id']; ?>" method="post"> <input type="hidden" name="ID" value="<?php echo $row['user_id']; ?>"> user ID: <input type="text" name="user_name" value="<?php echo $row['user_name']; ?>"><br> First Name: <input type="text" name="user_fname" value="<?php echo $row['user_fname']; ?>"><br> Last Name: <input type="text" name="user_lname" value="<?php echo $row['user_lname']; ?>"><br> New Password: <input type='password' name='newpassword'><p> Repeat New Password: <input type='password' name='repeatnewpassword'><p> <input type="Submit" name="submit" value="Enter information"> </form> <?php }} ?> thanks!