Reputation: 3
How to match a inputted password to hashed password from database?
For some reasons, I don't know if I am really getting the hashed password from the database or if I am comparing it right to the inputted password. I have successfully tested my registration with the password_hash method and I am seeing the hashed password in the database.
Should I also hash the inputted password to be compared to the hashed password from the database? Or my query is just wrong? Please help!!! Thanks!
<?php
require "../connection.php";
session_start();
if(isset($_POST['login'])) {
$username = stripslashes($_POST['username']);
$username = mysqli_real_escape_string($conn, $_POST['username']);
$password = stripslashes($_POST['password']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
$query = mysqli_query ($conn, "SELECT * FROM admin WHERE username='$username' AND password='$password'") OR DIE(mysqli_error($conn));
$reader = mysqli_num_rows($query);
if ($reader == 1) {
$passwordQuery = mysqli_query ($conn, "SELECT password FROM admin WHERE username='$username' AND password='$password'") OR DIE(mysqli_error($conn));
$row = mysqli_fetch_array($passwordQuery);
$hashedPasswordFromDb = $row['password'];
if (password_verify($password, $hashedPasswordFromDb)) {
$query = mysqli_query ($conn, "SELECT id, student_number FROM admin WHERE username='$username' AND password='$password'") OR DIE(mysqli_error($conn));
$row = mysqli_fetch_array($query);
$id = $row['id'];
$student_number = $row['student_number'];
$sesData = array('id' => $id, 'student_number', $student_number);
$_SESSION['ses_account'] = $sesData;
mysqli_query ($conn, "UPDATE admin SET lastLogin=NOW() WHERE student_number='$student_number'");
header("location: dashboard.php");
} else {
$msg="User not recognized. Please try again.";
urlencode($msg);
header("location: ../index.php?errmsg=$msg");
}
} else {
$msg="User not recognized. Please try again.";
urlencode($msg);
header("location: ../index.php?errmsg=$msg");
}
}
?>
Upvotes: 0
Views: 82
Answers (1)
Reputation: 15827
I assume you are storing hashed passwords into the database (that's good)
but here:
$query = mysqli_query ($conn, "SELECT * FROM admin WHERE username='$username' AND password='$password'") OR DIE(mysqli_error($conn));
you are fetching the user comparing a hashed password with a plain-text one. So the query will never return any row/user.
Here is how you should proceed to implement a very basic system for 1 registering a user and 2 check for login.
First of all use prepared statements instead of sanityzing input and then injecting strings into the query. You'll end up with safer and more readable code.
1 When you register a new user store the username and the hashed (and possibly salted) password into the db.
2 When you check for login, hash/elaborate the plain text password you get as input (with the same process you implemented when performing registration) then make a single SELECT to get the user by username and finally check hashed password matches.
Assuming you're at least on PHP 5.5 use password_hash and password_verify to hash the password (password_hash) and check a plaintext password with a hashed one (password_verify)
Further reading here: Secure hash and salt for PHP passwords
Upvotes: 2
Related Questions
- How to check a hashed password against database
- How to check a login password against a hashed password in PHP
- In PHP how to check if hashed password match database password
- Verify hashed password from database
- How to password_verify() with hash from database
- How to verify password against database?
- Trouble matching login password with stored hashed password in database
- PHP input password match with Hashed DB password
- comparing a password to a hash queried from database?
- PHP - Comparing hash with database is not working