-1
//index.php
<html>
<head>
<!--utf html5 declareren-->
<link rel="stylesheet" type="text/css" href="style.css">
<link rel="stylesheet" type="text/css" href="cssreset.css">
</head>
<body>
<form action="login.php" method="POST">
username: <input type="text" name="usernamebox" required> <br>
password: <input type="password" name="passwordboxlogin" required> <br>
<input type="submit" value="Login">   
</form>

<form action="register.php">
    <input type="submit" value="Click here if you want to register">
</form>


</body>
</html>

//login.php

<?php
session_start();

error_reporting(E_ALL);



include ('connect.php');



$username = $_POST['usernamebox'];
$password = $_POST['passwordboxlogin'];
$_SESSION['usernamebox'] = $username;

//$db->query("SELECT * FROM `users` WHERE `username` = '$username'");
//
//$db->query("SELECT * FROM `users` WHERE `password` = '$password'"); 



//nieuw



$hash = "SELECT password FROM users WHERE username= '$username' ";



if (password_verify($password, $hash)) 
{
    echo 'Password is valid!';
    //header("Location: userpage.php");
} 
else 
{
    echo 'Invalid password.';
}






?>
<html>
<head>
    <link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>


</body>
</html>

I'm an IT student and I can't seem to get this password_verify() function to work.

I'm basically trying to compare a password hash in mysqli with the password given in the POST form in login.php. The password is hashed correctly to my database.

Mike
  • 23,542
  • 14
  • 76
  • 87
Derikoe
  • 23
  • 4
  • You're not actually retrieving the password from the database... you're simply creating a string containing the SQL query, but not executing it; and then comparing that string with the entered password – Mark Baker Apr 03 '15 at 16:13
  • password in database is VARCHAR64... Thanks Mark ! ill try to solve it – Derikoe Apr 03 '15 at 16:22

1 Answers1

0

You're going about the function wrong. You need to take a password, and a hashed password and then compare the two. You want something like this:

$hash = '$2y$07$BCryptRequires22Chrcte/VlQH0piJtjXl.0t1XkA8pw9dMXTpOq';

   if (password_verify('rasmuslerdorf', $hash)) {
      echo 'Password is valid!';
   } else {
      echo 'Invalid password.';
   }

So first you would have to query the database and get the hashed password and then compare it. In your example, you're hashing the actual query string itself.

MrTechie
  • 1,797
  • 4
  • 20
  • 36
  • $select = "SELECT password FROM users WHERE username= '$username'"; $resultaat = $db->query($select); if($resultaat->num_rows>0) { while($rij=$resultaat->fetch_assoc()) { if (password_verify($password, $rij['password'])) { echo 'Password is valid!'; //header("Location: userpage.php"); } else { echo 'Invalid password.'; } } } Apparently the code above does work... thanks alot !!! i tried to select all this code above and press ctrl+k (im trying to be a good user) but it didnt work. pls explain how to ctrl+K in comments ? if you want offcourse ;) – Derikoe Apr 03 '15 at 18:34
  • 1
    Mark actually had the correct answer first because i was already trying to compare $password = $_POST['passwordboxlogin']; to $hash (which i meant to contain the query) but you def helped. Thank you. I really appreciate your help aswell MrTechie ! – Derikoe Apr 03 '15 at 18:35