CODEWITHSUNDEEP
phpmysqlforms
Eugene Stamp
Eugene Stamp

Reputation: 158

MySql Password_verify() not working?

during registration, the user's password is saved in the database as an encrypted BCRYPT password.

My question is: Why can't I verify the encrypted database password with the entered password?

CODE:

<?php                       //POST VARIABLES
                    $submit = $_POST['login_submit'];
                    $username = $_POST['login_username'];
                    $password = $_POST['login_password'];
                    $email = $_POST['login_email'];

require 'password_config.php';
if(isset($submit)){
require 'db/connect.php';
//PASSWORD VERIFYING
$pass_query = "SELECT password FROM users WHERE email='$email'";
$queried = mysql_query($pass_query);
while($row = mysql_fetch_array($queried)){
$user_pass = $row['password'];
$veri_password = password_verify($password, $user_pass);
}

//CHECKING NUM ROWS
$sql = "SELECT id, username FROM users WHERE password='$veri_password' AND email='$email'";
$entered_user = mysql_query($sql);
$num_rows = mysql_num_rows($entered_user);


//ERRS ARRAY DECLARED
$errors = array();

//FURTHER VERIFYING
if( $num_rows != 1 )
{
$errors[] = '-Account does not exist ';
}
elseif( $num_rows == 1 )
{
session_start();
while($row = mysql_fetch_array($entered_user)){
$_SESSION['key'] === true;
$_SESSION['id'] = $row['id'];
$_SESSION['email'] = $email;
$_SESSION['user'] = $row['username'];
$_SESSION['pass'] = $password;
header('Location: profile.php');
exit();
}
}
}   
?>

I'm receiving an error that says 'account does not exist' even when I enter valid information.

Thanks, -Eugene

EDIT CHANGED TO THIS:

        <?php                       //POST VARIABLES
                            $submit = $_POST['login_submit'];
                            $username = $_POST['login_username'];
                            $password = $_POST['login_password'];
                            $email = $_POST['login_email'];

    require 'password_config.php';
    if(isset($submit)){
    require 'db/connect.php';
    //PASSWORD VERIFYING
    $pass_query = "SELECT password FROM users WHERE email='$email'";
    $queried = mysql_query($pass_query);
    while($row = mysql_fetch_array($queried)){
    $user_pass = $row['password'];
    $veri_password = password_verify($password, $user_pass);
    }
    if($veri_password === true){
    //CHECKING NUM ROWS
       $sql = "SELECT id, username FROM users WHERE password='$user_pass' AND email='$email'";
       $entered_user = mysql_query($sql);
       $num_rows = mysql_num_rows($entered_user);


    //ERRS ARRAY ESTABLISHED
       $errors = array();

    //FURTHER VERIFYING
       if( $num_rows != 1 )
       {
       $errors[] = '-Account does not exist ';
       }
       elseif( $num_rows == 1 )
       {
       session_start();
       while($row = mysql_fetch_array($entered_user)){
       $_SESSION['key'] === true;
       $_SESSION['id'] = $row['id'];
       $_SESSION['email'] = $email;
       $_SESSION['user'] = $row['username'];
       $_SESSION['pass'] = $password;
       header('Location: profile.php');
       exit();
       }
       }
       }
    }   
    ?>

Upvotes: 1

Views: 162

Answers (1)

Ormoz
Ormoz

Reputation: 3013

change to:

$sql = "SELECT id, username FROM users WHERE email='$email'";

Also change:

$veri_password = password_verify($password, $user_pass);

to

if(!password_verify($password, $user_pass)){
   echo 'invalid password';
   exit;
}

anyway, your code is vulnerable to sql injection. please consider using prepared statements in your queries or escape input strings with mysql_real_escape_string. . And also it is recommended to use mysqli or pdo instead of procedural methods

Upvotes: 2

Related Questions