Jump to content

Need help with password_verify()


Hobbyist_PHPer
Go to solution Solved by mac_gyver,

Recommended Posts

Hello everyone, so I just had PHP 5.5.5 installed on my server so that I could take advantage of the new password hashing API, but I'm having problems, it's not validating as true...

 

Here's my login script code

<?
if (isset($_POST['loginform']))
{
    session_start();
    
    require "../includes/connection.inc";
    require "../includes/functions.php";

    $Uname = clean($_POST['Username']);
    $Username = strtolower($Uname);
    $Password = clean($_POST['Password']);

    $sql = "SELECT ExaminerID, ExaminerName, ExaminerEmail, ExaminerPassword FROM Examiners WHERE ExaminerUsername = ? AND ExaminerPassword = ?";
    if ($stmt = $mysqli -> prepare($sql))
    {
        $stmt -> bind_param("ss", $Username, $Password);
        $stmt -> execute();
        $stmt -> bind_result($ExaminerID, $ExaminerName, $ExaminerEmail, $ExaminerPassword);
        $stmt -> fetch();
        if (password_verify($Password, $ExaminerPassword))
        {
            session_regenerate_id();
            $_SESSION['ExaminerID'] = $ExaminerID;
            $_SESSION['ExaminerName'] = $ExaminerName;
            $_SESSION['ExaminerEmail'] = $ExaminerEmail;
            session_write_close();
            $stmt -> close();
            $mysqli -> close();
            header("location: https://*****************/index.php");
        }
        else
        {
            $stmt -> close();
            $mysqli -> close();
            header("location: login.php?failed");
            exit();
        }
    }
    else
    {
        $stmt -> close();
        $mysqli -> close();
        header("location: login.php?failed");
        exit();
    }
}
?>
Link to comment
Share on other sites

  • Solution

if you correctly generated the hash (using password_hash()) and stored that hashed value in your ExaminerPassword column, your query will never match a row because ExaminerPassword will never equal $password.

 

your query should only try to find rows with the correct ExaminerUsername. your logic using password_verify() is what tests if the hash of the $password matches the value from the ExaminerPassword column.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.