CODEWITHSUNDEEP
phpmysqlsqlmysqli
Pal Dhillon
Pal Dhillon

Reputation: 93

Password_verify is not verifying the hash in the database

I'm trying to log a user in but I get an error every time I try to verify the password. The username is verified just fine. My password is stored by password_hash in the database. For example, let's say I signup a username 'thisIsAUser' and the password is 'thisIsAUsersPassword'. The hash would be something like: $2y$10$VR5FKZVLP6/43adb1PsGD.bsmrzp15jdftotz6xubDQtypZ1rKEFW. The error would be the else statement of the if(password_verify). Notice that the else statement of the username not matching has a '.' at the end while the password not matching has a '!'.

Logging in script:

<?php 
session_start();
            
$link = mysqli_connect("localhost", "root", "Yuvraj123", "KingOfQuiz");
if(mysqli_connect_error()) {
    die("Couldn't connect to the database. try again later.");
} 
    
$query = "SELECT * FROM `users`";
    
if($result = mysqli_query($link, $query)) {
    $row = mysqli_fetch_array($result);
}
            
// define variables and set to empty values
$loginSignupButton = "";
$loginUsername = "";
$loginPassword = "";
       
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $loginUsername = form_input($_POST["loginUsername"]);
    $loginPassword = form_input($_POST["loginPassword"]);
    $loginSignupButton = form_input($_POST["loginSignupButton"]);
}
    
function form_input($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}
        
// define variables and set to empty values
$loginUsernameError = "";
$loginPasswordError = "";
$error = "";
$loggingInUsername = "";
$unhashedPasswordThingyMajig = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    if (empty($_POST["loginUsername"])) {
        $loginUsernameError = "<p style='color: red'>Username is required</p>";
        echo $loginUsernameError;
    } else {
        $loginUsername = form_input($_POST["loginUsername"]);
    }
    if (empty($_POST["loginPassword"])) {
        $loginPasswordError = "<p style='color: red'>Password is required</p>";
        echo $loginPasswordError;
    } else {
        $loginPassword = form_input($_POST["loginPassword"]);
    }
    
    if($_POST['loginActive'] == "0") {
                  
        $query = "SELECT * FROM users WHERE username = '". mysqli_real_escape_string($link, $_POST['loginUsername'])."' LIMIT 1"; 
        $result = mysqli_query($link, $query);
        if(mysqli_num_rows($result) > 0) {
            $error = "<p style='color: red'>That username is already taken.</p>";
            echo $error;
        } else {
            header ('location: signup.php');
        }
    } elseif($_POST['loginActive'] == "1") {
        $sql = "
                    SELECT *
                    FROM users
                    WHERE username = ?
                "; 
        $query  = mysqli_prepare($link, $sql);
        mysqli_stmt_bind_param($query, "s", $_POST["loginUsername"]);
        mysqli_stmt_execute($query);
        $result = mysqli_stmt_get_result($query);
                
        if (mysqli_num_rows($result)) {
            $logInPassword = $_POST['loginPassword'];
            if(password_verify($logInPassword, $row['password'])) {
                echo "Hello World!";
            } else {
                $error = "<p style='color: red'> The Password and Username combination Is not Valid!</p>";
                echo $error;
            }
        } else {
            $error = "<p style='color: red'> The Password and Username combination Is not Valid.</p>";
            echo $error;
        }   
    } 
}
?>

Form(This is the logging in one, not the signup):

<div class="modal fade" id="exampleModal" tabindex="-1" aria-labelledby="exampleModalLabel" aria-hidden="true">
  <div class="modal-dialog">
    <div class="modal-content">
      <div class="modal-header" id="LoginModalTitle">
        <h5 class="modal-title" id="exampleModalLabel LoginModalTitle">Login</h5>
        <button type="button" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true" style="color: white">&times;</span>
        </button>
      </div>
      <div class="modal-body">
        <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" id="modal-details">
      <div class="form-group">
        <input type="hidden" id="loginActive" name="loginActive" value="1">
        <label for="loginUsername">Username</label>
        <input type="text" class="form-control formInput" id="inputUsername" placeholder="Eg: RealKingOfQuiz" name="loginUsername" autocomplete="off" required>
        <p><span class="error"><?php echo $loginUsernameError;?></span><p>
      </div>
      <div class="form-group">
        <label for="loginPassword">Password</label>
        <input type="password" class="form-control formInput" id="inputPassword" name="loginPassword" required autocomplete="on">
        <small><a href="" id="forgotPassword" style="color: blue; text-decoration: none">Forgot Password?</a></small>
        <p><span class="error"><?php echo $loginPasswordError;?></span></p>
      </div>
        <p><span class="error"><?php echo $error;?></span></p>
        <div class="alert alert-danger" id="loginAlert"></div>
        </form>
      </div>
      <div class="modal-footer">
        <a id="toggleLogin">Sign Up?</a>
        <button type="button" class="btn btn-secondary" data-dismiss="modal">Cancel</button>
        <button class="btn btn-success" id="LoginSignUpButton" name="loginSignupButton" form="modal-details" disabled>Login</button>
        </div>
    </div>
  </div>
</div>

Upvotes: 1

Views: 89

Answers (2)

Steven
Steven

Reputation: 6148

If you update the section of code from...

$result = mysqli_stmt_get_result($query);

...to the end of the code block with the below; then it should work.

The problem is that you're reading the password from the wrong result set.

$result     = mysqli_stmt_get_result($query);
$dbPassword = mysqli_fetch_assoc($result)["password"] ?? null;

if ($dbPassword) {
    $logInPassword = $_POST['loginPassword'];
    if(password_verify($logInPassword, $dbPassword)) {
        echo "Hello World!";
    } else {
        $error = "<p style='color: red'> The Password and Username combination Is not Valid!</p>";
        echo $error;
    }
} else {
    $error = "<p style='color: red'> The Password and Username combination Is not Valid.</p>";
    echo $error;
}

Upvotes: 3

Barmar
Barmar

Reputation: 780655

You never fetched the row for the user logging in. When you check $row['password'] it's checking the first password in the table, which came from the SELECT * FROM users query at the beginning of the script.

You need to call mysqli_fetch_assoc() after querying for the row for the user.

        if (mysqli_num_rows($result)) {
            $logInPassword = $_POST['loginPassword'];
            $row = mysqli_fetch_assoc($result);
            if(password_verify($logInPassword, $row['password'])) {
                echo "Hello World!";
            } else {
                $error = "<p style='color: red'> The Password and Username combination Is not Valid!</p>";
                echo $error;
            }
        } else {
            $error = "<p style='color: red'> The Password and Username combination Is not Valid.</p>";
            echo $error;
        }

Upvotes: 1

Related Questions