New to Password Hashing

[RedInjection]

Hello all,

 

I currently have a login form that works with username and password in plain text which reads from a table, I have created a register form which succesfully creates a hash using password_verify function but I am having problems what it is for the login form to check the password against the hash and allow the user to continue.

    $timedate = date("F j, Y, g:i a");
    if (isset($_POST['login'])) {
        $username = $_POST['username'];
		
        $password = password_verify($_POST['password'], $hash);
		
        if (isset($_POST['remember'])) {
            session_set_cookie_params('604800');
            session_regenerate_id(true);
        }
        if ($mysqli->connect_errno) {
            echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
            exit();
        }
        $sql    = "SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1";
        $result = $mysqli->query($sql);
        if ($result->num_rows != 1) {
            echo "<tr colspan=2><td width=0%></td><td width=100%><strong><font color=red>Invalid Login</strong></font></strong></td></tr>";
        } else {
            $user                 = $result->fetch_array();
            $_SESSION['user_id']  = $user['id'];
            $_SESSION['username'] = $user['username'];
            $_SESSION['remember'] = $user['remember'];
            $sql                  = "UPDATE users SET lastlogin='" . $timedate . "'WHERE id={$_SESSION['user_id']}";
            $result               = $mysqli->query($sql);
            redirect_to("editprofile.php");
        

I am using PHP 5.5 and from what I understand password_verify is a function and I have noticed on from reading that there is a $hash variable

$password = password_verify($_POST['password'], $hash);

Is the $hash something I have to declare and read from mytable or is this part of the function within password_verify?

 

Thank you your help in trying to understand this function

[Psycho]

There's quite a few things which need to be "fixed" in this code, not the least of which is the password verification. But, we can start with that.

 

When a user creates their password, use the function password_hash() to generate a hash value and save it to the DB. Then, when a user attempts to log in, run a DB query to find the record matching just the username. Take the hash value from the DB and the password the user provided on the login and use the password_verify() function to see if the password is valid.

 

FYI: Font tags have been deprecated for over a decade!

Edited October 27, 2015 by Psycho

[RedInjection]

Okay thanks just wanted to be clear on the function - Yes I am using deprecated tags just for testing and will finalise XHTML when I am happy the functionality works.

[Jacques1]

Your code is wide open to SQL injection attacks and leaks critical information about your database system by showing all internal SQL errors to the user.

 

I strongly recommend you learn the basics of MySQLi before you even think about writing a complete application.

• How to safely pass PHP values to a query with prepared statements.
• How to report SQL errors.

[RedInjection]

I am just learning and this code isn't being published online, Prepared Statements is something I will learn next