CODEWITHSUNDEEP
phpif-statement
Owen
Owen

Reputation: 431

passwords match, but if statement fails

I recently had a conversation that led me to the discovery that I've been storing passwords improperly. I've always used md5 and thought it was secure enough. However after some reading I've discovered is not the case, thus I am making the switch to bcrypt

Anyways, I'm creating the login processor, but once I encrypt the user supplied password with the known salt, it states that the passwords are not equal, however when I echo them, they are identical.

Here is the code:

$username = $_POST['username'];
$password = $_POST['password'];

/*find that username in the database and grab their info*/
$check_username = "SELECT * FROM users WHERE username = ?";
    $query_username = $conn->prepare($check_username);
            $query_username->execute(array($username));
                $count = $query_username->rowCount();

    if($count > 0)/*if the user was found in the database*/
        {       
while($row = $query_username->fetch())
            {
                $salt = $row['salt'];
                $password_encrypted = $row['password'];
                $encrypt_password = crypt($password, $salt);

                if ($encrypt_password == $row['password'])
                    {
                        echo "success";
                    }
                else
                    {
                        var_dump($encrypt_password);
                        echo "<br />";
                        var_dump($row['password']);
                    }
            }
}

Not sure why this if statement fails hopefully one of you can see what I am missing. Thanks in advance.

Out put of vardumps:

string(60) "$2y$09$l2j89a6l7eoaz4dqpn5xzeAyBP1l7QzQuT7rIj8qYWX1/qJz7MYee" 
string(61) "$2y$09$l2j89a6l7eoaz4dqpn5xzeAyBP1l7QzQuT7rIj8qYWX1/qJz7MYee"

Found the error, I am using binary as for the column changing the string to 60 solved the issue. Thanks for the advice on using vardump

Upvotes: 1

Views: 191

Answers (1)

paxdiablo
paxdiablo

Reputation: 881093

Don't use echo or at least don't use it without hard boundaries. Otherwise you have the same situation as the following two lines which seem to generate the same output:

print "hello"
print "hello     "

Use var_dump or, if you must echo, echo the variables in such a way that the HTML renderer doesn't stuff up your output, such as using <pre> tags with [ and ] delimiters.

Upvotes: 2

Related Questions