Jump to content

Need help with password_verify()


Hobbyist_PHPer

Recommended Posts

Hello everyone, so I just had PHP 5.5.5 installed on my server so that I could take advantage of the new password hashing API, but I'm having problems, it's not validating as true...

 

Here's my login script code

<?
if (isset($_POST['loginform']))
{
    session_start();
    
    require "../includes/connection.inc";
    require "../includes/functions.php";

    $Uname = clean($_POST['Username']);
    $Username = strtolower($Uname);
    $Password = clean($_POST['Password']);

    $sql = "SELECT ExaminerID, ExaminerName, ExaminerEmail, ExaminerPassword FROM Examiners WHERE ExaminerUsername = ? AND ExaminerPassword = ?";
    if ($stmt = $mysqli -> prepare($sql))
    {
        $stmt -> bind_param("ss", $Username, $Password);
        $stmt -> execute();
        $stmt -> bind_result($ExaminerID, $ExaminerName, $ExaminerEmail, $ExaminerPassword);
        $stmt -> fetch();
        if (password_verify($Password, $ExaminerPassword))
        {
            session_regenerate_id();
            $_SESSION['ExaminerID'] = $ExaminerID;
            $_SESSION['ExaminerName'] = $ExaminerName;
            $_SESSION['ExaminerEmail'] = $ExaminerEmail;
            session_write_close();
            $stmt -> close();
            $mysqli -> close();
            header("location: https://*****************/index.php");
        }
        else
        {
            $stmt -> close();
            $mysqli -> close();
            header("location: login.php?failed");
            exit();
        }
    }
    else
    {
        $stmt -> close();
        $mysqli -> close();
        header("location: login.php?failed");
        exit();
    }
}
?>
Link to comment
Share on other sites

if you correctly generated the hash (using password_hash()) and stored that hashed value in your ExaminerPassword column, your query will never match a row because ExaminerPassword will never equal $password.

 

your query should only try to find rows with the correct ExaminerUsername. your logic using password_verify() is what tests if the hash of the $password matches the value from the ExaminerPassword column.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.