1

here is the register code where i put the hash password on the database with salt.

              <?php
          include '../database/connectDB.php';

            if (isset($_POST['submit']))
{       
                $username= $_POST['leguser'] ;
                $password= $_POST['legpass'] ;  
                $options = [
                    'cost' => 11,
                    'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
                ];
                $pwhash = password_hash($password, PASSWORD_DEFAULT, $options)."\n";

                $username = mysql_real_escape_string($username);
                $password = mysql_real_escape_string($password);

    $query = mysql_query("SELECT * FROM tbl_users WHERE fld_username = '". $username ."'"); 
                    if (mysql_num_rows($query) > 0) 
                    { 
                         echo "<script>alert('Username already used!');</script>"; }
                    else
                    {                           
     mysql_query("INSERT INTO `tbl_users`(fld_username,fld_password) 
     VALUES ('$username','$pwhash')"); 
                    }                          
}

            ?>

here is the login code where i verify the password 

    <?php 
$DB_HOST = 'localhost';
$DB_USER = 'root';
$DB_PASS = '';
$DB_NAME = 'rsi_db';

$conn = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
if($conn->connect_errno > 0) {
  die('Connection failed [' . $conn->connect_error . ']');
}


if (isset($_POST['submit']))
    {       
                    $username= $_POST['user'] ;
                    $password= $_POST['pass'] ; 
        $sql = "SELECT * FROM tbl_users WHERE fld_username = '$username'";
        $result = $conn->query($sql);
        if ($result->num_rows === 1) {
        $row = $result->fetch_array(MYSQLI_ASSOC);
        if (password_verify($password, $row['fld_password'])) {
        echo "Match";
        }
        else 
        {
        echo "not match";
        }                 
    }
    }
    ?>

At first i registered username = 1 and password = 1 and tried logging in and it was a match, but when i tried registering a valid user and password, it didnt match. can someone help me troubleshoot this further?

Thank You in Advance, i am a php beginner only please dont be hard :)

Vawn Harvey Galanza
  • 23
  • 5

2 Answers2

0

there's 1 blank space in 

$2y$11$H83GgNapOdRZvmVKYtW5.OwL3P4ju/fBHz/KlMIYCr.1M1hhzJbcO <-here

so if you limit it by 60, then viola. the space now gone

Randyka Yudhistira
  • 3,612
  • 1
  • 26
  • 41
0

The trailing new line is your problem:

$pwhash = password_hash($password, PASSWORD_DEFAULT, $options)."\n";
                                                              ______

Just remove it from the line and it will save a 60 character string into your database. Another thing you should remove is the generation of the salt, the function itself will generate a safe salt for you then.

$options = ['cost' => 11];
martinstoeckli
  • 23,430
  • 6
  • 56
  • 87
  • so i dont need the generation of salt anymore then? okay will remove it thanks ! :D – Vawn Harvey Galanza Jan 27 '15 at 09:43
  • @VawnHarveyGalanza - No the function `password_hash()` will generate its own salt. Your salt with 22 bytes (binary string) is not even valid for BCrypt, though the function will correct it. – martinstoeckli Jan 27 '15 at 10:02