RedInjection Posted October 27, 2015 Share Posted October 27, 2015 Hello all, I currently have a login form that works with username and password in plain text which reads from a table, I have created a register form which succesfully creates a hash using password_verify function but I am having problems what it is for the login form to check the password against the hash and allow the user to continue. $timedate = date("F j, Y, g:i a"); if (isset($_POST['login'])) { $username = $_POST['username']; $password = password_verify($_POST['password'], $hash); if (isset($_POST['remember'])) { session_set_cookie_params('604800'); session_regenerate_id(true); } if ($mysqli->connect_errno) { echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>"; exit(); } $sql = "SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1"; $result = $mysqli->query($sql); if ($result->num_rows != 1) { echo "<tr colspan=2><td width=0%></td><td width=100%><strong><font color=red>Invalid Login</strong></font></strong></td></tr>"; } else { $user = $result->fetch_array(); $_SESSION['user_id'] = $user['id']; $_SESSION['username'] = $user['username']; $_SESSION['remember'] = $user['remember']; $sql = "UPDATE users SET lastlogin='" . $timedate . "'WHERE id={$_SESSION['user_id']}"; $result = $mysqli->query($sql); redirect_to("editprofile.php"); I am using PHP 5.5 and from what I understand password_verify is a function and I have noticed on from reading that there is a $hash variable $password = password_verify($_POST['password'], $hash); Is the $hash something I have to declare and read from mytable or is this part of the function within password_verify? Thank you your help in trying to understand this function Quote Link to comment Share on other sites More sharing options...
Solution Psycho Posted October 27, 2015 Solution Share Posted October 27, 2015 (edited) There's quite a few things which need to be "fixed" in this code, not the least of which is the password verification. But, we can start with that. When a user creates their password, use the function password_hash() to generate a hash value and save it to the DB. Then, when a user attempts to log in, run a DB query to find the record matching just the username. Take the hash value from the DB and the password the user provided on the login and use the password_verify() function to see if the password is valid. FYI: Font tags have been deprecated for over a decade! Edited October 27, 2015 by Psycho Quote Link to comment Share on other sites More sharing options...
RedInjection Posted October 27, 2015 Author Share Posted October 27, 2015 Okay thanks just wanted to be clear on the function - Yes I am using deprecated tags just for testing and will finalise XHTML when I am happy the functionality works. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted October 27, 2015 Share Posted October 27, 2015 Your code is wide open to SQL injection attacks and leaks critical information about your database system by showing all internal SQL errors to the user. I strongly recommend you learn the basics of MySQLi before you even think about writing a complete application. How to safely pass PHP values to a query with prepared statements. How to report SQL errors. Quote Link to comment Share on other sites More sharing options...
RedInjection Posted October 28, 2015 Author Share Posted October 28, 2015 I am just learning and this code isn't being published online, Prepared Statements is something I will learn next Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.