0

I am new to MySQL and have a simple question:

I am building a page where users need to login to a site and when they login I want to check:

  1. if their email is already in the db and
  2. if the password they entered matches the registered one.

So far I have the following which should cover the first part but I am not sure how I can refer to the password that I selected from the db so that I can set up an if / else then for the comparison.

Can someone help me with this ?
Also, if there is a better way to approach this please let me know as well.

My SQL:

$conn = new mysqli($dbServer, $dbUser, $dbPass, $dbName);
$conn->set_charset("utf8");
if($conn->connect_error){
    die("Connection failed: " . $conn->connect_error);
}
$email = $_POST["email"];
$pw = password_hash($_POST["pw"], PASSWORD_BCRYPT); 

$stmt = $conn->prepare("SELECT email, pw FROM Users WHERE email = ?");
$stmt->bind_param('s', $email);
$stmt->execute();
$result = $stmt->get_result();
if(mysqli_num_rows($result) = 0){
    echo "Email has not been registered yet";
}else{
    if(
        // compare pw with $pw
    }
}
$conn->close();

Many thanks in advance.

TaneMahuta
  • 367
  • 3
  • 8
  • 17
  • I believe you should find your answer in [How do you use bcrypt for password hashing in PHP](https://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php), which has clear examples using `password_verify()` to check the password returned from the database. – Michael Berkowski Jun 23 '15 at 19:16
  • 1
    Rereading your question - do you need help with _fetching_ the password hash value from the MySQLi statement, via `$result->fetch_assoc()` in addition to validating it with `password_verify()`? I notice now that you don't actually have code to fetch the password value from the result set. – Michael Berkowski Jun 23 '15 at 19:18
  • Thanks. I am not sure about the whole piece. The Select gets me the email and the password (pw) and I then check if the email was already in the db. I also have the hashed password that the user entered ($pw) but I don't know how to compare the two so that I can say he entered the right or wrong one. The password in the db is stored hashed as well so they should match if he entered the correct one I would guess since they are hashed the same way. – TaneMahuta Jun 23 '15 at 19:31
  • 1
    They actually won't match because a second call to `password_hash()` on the POST value will have a different salt. You can compare the input to the database with `if (password_verify($_POST['pw'], $row['pw']))` after fetching `$row`. – Michael Berkowski Jun 23 '15 at 19:47
  • @MichaelBerkowski: Thanks a lot for this - this is very helpful ! Will definitely apply ! – TaneMahuta Jun 24 '15 at 05:45

2 Answers2

1

Try this one:

$conn = new mysqli($dbServer, $dbUser, $dbPass, $dbName);
$conn->set_charset("utf8");
if($conn->connect_error){
die("Connection failed: " . $conn->connect_error);
}
$email = $_POST["email"];
$pw = password_hash($_POST["pw"], PASSWORD_BCRYPT); 

$stmt = $conn->prepare("SELECT email, pw FROM Users WHERE email = ?");
$stmt->bind_param('s', $email);
$stmt->execute();
$result = $stmt->get_result();
if(mysqli_num_rows($result) = 0){
echo "Email has not been registered yet";
}else{
if($pw===$result['pw']){
   //password matched
  }
else { //password wrong
}

}
}
$conn->close();
Clyde Winux
  • 285
  • 1
  • 3
  • 12
  • This works - thanks so much ! I thought it would be something more difficult here with the password but it looks like that's all I needed here. :) – TaneMahuta Jun 23 '15 at 19:38
  • 2
    You should not use `$pw == $result['pw']`. When comparing the password, do not call `password_hash()` in the value from POST. Instead use `if (password_verify($_POST['pw'], $result['pw'])` because calling `password_hash()` would generate a different salt and the input value hashed will not match the one in the database. So you should only call `password_hash()` when initially storing the password. Afterward, use `password_verify()` to check it. [Examples here](https://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) – Michael Berkowski Jun 23 '15 at 19:44
  • @MichaelBerkowski: Thanks a lot for this - this is very helpful ! Will definitely apply ! – TaneMahuta Jun 24 '15 at 04:32
  • @ClydeWinux: As per the comments from Michael Berkowski and dajnz I have to use password_verify here which makes sense to me so I am going to accept the other answer for this but voted yours up, hope that's ok. Thanks again for your help ! – TaneMahuta Jun 24 '15 at 04:37
  • @TaneMahuta yeah i definitely agree. Mine's too basic and can be risky. I just showed you ways of comparison. Goodluck ! – Clyde Winux Jun 24 '15 at 04:40
1

Your $result var in instance of mysqli_result class, so use it's method fetch_assoc() (as Michael Berkowski said) to get assoc array with keys 'email' and 'pw', according to your sql. Then you can easily check if your password matches with hash from your db, using password_verify($pass, $hash) -> bool, as other answer already said.

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
dajnz
  • 1,178
  • 1
  • 8
  • 20
  • Thanks a lot for this as well ! This and the comments from Michael Berkowski make sense to me and I am currently trying to implement this. – TaneMahuta Jun 24 '15 at 05:46