PHP Password Verification w/ BCrypt

Question

I'm having some problems with my user authentication system, what am I doing wrong?

I'm trying to query the database for a password stored on there, check if the password on the database is the same as the one entered on the login page and then I'll add functionality from there.

But it just doesn't work. It repeatedly fails and prints out "Sorry, try again."

login.php

$email = $_POST['email'];
$userpass = $_POST['password'];

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

$getpass = "SELECT password FROM users WHERE email = $email";
$hash = mysqli_query($conn, $getpass);


if(password_verify($userpass, $hash)) {
    echo "You're in.";
} else {
    echo "Sorry, try again.";
}

register.php

 // Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) 
{
    die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully <br>";

$email = $_POST['email'];
$userpass = $_POST['password'];

$options = [
    'cost' => 12,
];

$hash = password_hash($userpass, PASSWORD_BCRYPT, $options);

$register = "INSERT INTO users (registered_on, email, password) VALUES (CURRENT_TIMESTAMP, '$email','$hash')";

if ($conn->query($register) === TRUE)
{
    echo "New record created successfully";
} else 
{
    echo "Error: " . $register . "<br>" . $conn->error;
}

// Closes connection
$conn->close();

I have a hunch it is to do with how I am querying the database.

note from comment: The password_verify function is a built-in PHP function

Or what you're trying to verify... It looks like you're trying to verify the entire hash returned from the query rather than the password value... try changing to if(password_verify($userpass, $hash["password"])) { — dbinns66, Apr 13 '15 at 14:20
I assumed I couldn't with BCrypt, because its one way. I think that may be my major flaw, maybe I should move to another algorithm. — Gregory Worrall, Apr 13 '15 at 14:28
Check what value `$hash` contains after the database call in *login.php*. Is it the same `password_hash()` produced? If not, investigate why not. If yes, post an (made up) example of a password and a hash that fail in `password_verify()`. — tmt, Apr 13 '15 at 14:29
The password_verify function is a built-in PHP function, I didn't write it. — Gregory Worrall, Apr 13 '15 at 14:43
I'm having problems getting any sort of hash back from the database from that query, it just won't echo anything. — Gregory Worrall, Apr 13 '15 at 14:43
Then you need to investigate why the DB call is not returning the hash. Start by checking the table record content with some DB administration tool. — tmt, Apr 13 '15 at 14:57

score 1 · Answer 1 · edited May 23 '17 at 10:24

1

You miss quotes around the email here:

$getpass = "SELECT password FROM users WHERE email = '$email'";

hence your query not returning a hash, and the password_verify not able to verify the password

you can see this answer for greater details about quotes

As a very important side-note, I encourage you to carefully read this other answer on how to prevent sql injection as your code seem to be pretty injectable.

Please understand that using mysqli in itself is not a protection against injection, only by using prepared statements and parameterized queries will you be protected.

edited May 23 '17 at 10:24

Community

1
1

answered Apr 13 '15 at 18:25

Félix Adriyel Gagnon-Grenier

8,422
10
52
65

Thank you very much. Not only did you point out my silly mistake, you've saved me a hell of a lot of trouble in the future. Thank you. – Gregory Worrall Apr 14 '15 at 20:33
My pleasure. And don't be put off by the duplicate mark. Looking onward to your further contributions! – Félix Adriyel Gagnon-Grenier Apr 14 '15 at 20:46

PHP Password Verification w/ BCrypt

1 Answers1