Search the Community
Showing results for tags 'verify user input hashed pass'.
-
Hello, I'm new to PHP and I need some help with user logins. I'm using WebMatrix2 running a site on localhost trying to learn PHP through trial and error. I've made a registration and login. When I try to test user input against the database, it looks like the query works but the verification fails. Any advice would help, thanks in advance! register.php <?php session_start(); require_once("db.php"); require_once("create.php"); if(defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) { echo "crypt blowfish enabled"; } if(isset($_POST['submit'])) { $filter=array ( "username"=>array ( "filter"=>FILTER_SANITIZE_STRING, ), "password"=>array ( "filter"=>FILTER_SANITZE_STRING, ), "email"=>FILTER_VALIDATE_EMAIL, ); $result=filter_input_array(INPUT_POST,$filter); if(!$result["email"]) { echo "invalid email"; } $username=$result['username']; $pass=$result['password']; $email=$result['email']; $iv=mcrypt_create_iv(16,MCRYPT_DEV_URANDOM); $replace=array("+","="); $salt=str_replace($replace,".",base64_encode($iv)); $password=crypt($pass,'$2a$10'.$salt); $sql="INSERT INTO users (username,password,email,salt) VALUES (?, ?, ?, ?)"; $stmt=mysqli_prepare($con,$sql); mysqli_bind_param($stmt,'ssss',$username,$password,$email,$salt); mysqli_stmt_execute($stmt); if(mysqli_affected_rows($con)>0) { $userid=mysqli_insert_id($con); echo "created user successfull"; $_SESSION['username']=$username; $_SESSION['userid']=$userid; } else{ echo "creation failed"; } } ?> login.php <?php require_once("db.php"); if(isset($_POST['submit'])) { $username=mysqli_real_escape_string($_POST['username']); $password=mysqli_real_escape_string($_POST['password']); if($sql=mysqli_query($con,"SELECT username, password FROM users WHERE username='$username' LIMIT 1")) { echo "successfull query"; echo "<br/>"; $row=mysqli_fetch_array($sql); $user=$row["username"]; $hashpass=$row["password"]; if(crypt($password,$hashpass)==$hashpass && $username==$user) { echo "successfull password"; echo "<br/>"; } else { echo "fail pass check"; echo mysqli_error($con); } } else { echo "sql query failed.".mysqli_error($con); } } echo mysqli_error($con); ?> I get "successfull query" but then I get "fail pass check". I'm not sure if I'm comparing the user input against the query result set correctly or what?