0

This question is noted as a duplicate and I don't believe it to be as I haven't found any solutions that work for me; but the answer noted is about error posting - this question doesn't regard anything to do with code syntax errors; simply: How do I get a stored hashed password to match the password entered down the road on a login screen?

I'm using PHP 5.5.9 and here is my database info:

Apache/2.4.7 (Ubuntu) Database client version: libmysql - mysqlnd 5.0.11-dev - 20120503 - $Id: bf9ad53b11c9a57efdb1057292d73b928b8c5c77 $

Server type: MySQL Server version: 5.5.44-0ubuntu0.14.04.1 - (Ubuntu)

PHP extension: MySQLi

I'm starting off by saying I'm barely even a beginner (not even a nOOb and I'm starting with MySQLi. I am aware of PDOs, but this is the skeleton form what I'm using right now for a login screen and it's been days of me losing more and more hair.

Any tips on the following would be very, very much appreciated and thank you in advance.

I can't get the passwords to match (users are inserted into the database using this code: ---> )

    $password = $_POST['password'];
    $hash = password_hash($password, PASSWORD_DEFAULT);

The $hash value is inserted into the database and looks fine on phpMyAdmin. Then the basic, basic login screen asking for credentials and I always get the 'password doesn't match' failure:

    <?php

    require_once 'scripts/app_config.php';
    require_once 'scripts/database_connection_tbt.php';

        $username = mysqli_real_escape_string($db, trim($_REQUEST['username']));
        $password = $_POST['password'];

        // Look up the user

        $query = sprintf("SELECT user_id, username, password FROM pax " .
                         "WHERE username = '%s' ", 
                         $username);

          $result = mysqli_query($db, $query);
          $row = mysqli_fetch_assoc($result);

          if ($row) {
              $hash = $row['password'];
              if (password_verify($password, $hash)) {
                  echo "<br><br>Password match <br><br>";
              } else {
                  echo "<br><br>Password doesn't match<br><br>";
              }
          }

    ?>

    <html>
        <body>
            <form action="" method="POST">
            <label for="username" id="username">Username:</label>
                <input type="text" name="username"><br><br>
            <label for="password" id="password">Password:</label>
            <input type="password" name="password"><br><br>
            <input type="submit" value="Please God, please.">
            </form>    
        </body>  
    </html>
Matt
  • 11
  • 1
  • provide us code of the `password_verify ` function, please – Eugene Nezhuta Aug 14 '15 at 20:08
  • 4
    You are never selecting the password in your query (only user_id and username). Enable error reporting so that mistakes like this can be seen – PeeHaa Aug 14 '15 at 20:08
  • 2
    @EugeneNezhuta that's a built in php function – ksealey Aug 14 '15 at 20:10
  • @Matt omg, sorry, that's true... my bad. – Eugene Nezhuta Aug 14 '15 at 20:25
  • Thank you @PeeHaa - I added the password column to my SQL query and I still get no matching. The rest of the code is running, as I do get to the echo stage of the code; so I am just baffled. Plumb baffled. – Matt Aug 14 '15 at 23:39
  • I also turned on debugging via the topic noted in the 'marked as duplicate' thread; there's no syntax error when I run the script (after I POST the results, that is) and my beloved 'passwords don't match' pops up. – Matt Aug 15 '15 at 00:28
  • I'm wondering if it is the username not the password causing the problem. Are you sure the query is finding the user record? You don't seem to be testing to see if $row contains anything. – Elin Aug 15 '15 at 01:03
  • Sorry - I have been echoing out the contents of the array on my own and various row values and every single one turns up exactly as its supposed to, except that hashed password. – Matt Aug 15 '15 at 01:10
  • Can you use some password like "password" and show us the hash that is stored and what you get if you hash the password from the request? – Elin Aug 15 '15 at 01:56
  • @Elin - here are the values I got (knowing that the password I entered on the form is the exact same as the password I made in the database): Password entered has a value of: $2y$10$.FCJ.i7IVn0yyv7d6U6HKe9Qga4rnQKmmA6DttRQW/DexSVzcVzIq Password stored in database has a value of: $2y$10$p9RVHi4uGA5mTfRmC8uZaer2qMDx3vYrmCkXKR./6Fqh/dg.n9cAW – Matt Aug 15 '15 at 02:39
  • And you are positive you are not escaping the password before saving? I just looked at a lot of mine, and I think that first one does not look right. Can you try this and see what hash you are getting? https://www.dailycred.com/article/bcrypt-calculator – Elin Aug 15 '15 at 09:37
  • @Elin - I'm definitely not escaping anything. Passwords come from a straight $_POST value, no trim or escapes. I'll take a look at the link... – Matt Aug 15 '15 at 14:30
  • Crazy idea but maybe the cost is being set manually when you are storing. – Elin Aug 15 '15 at 18:02
  • I just edited the code to have a cost of 10 on both the sign in page and this password test page(and added a new user) and still can't get a match. – Matt Aug 15 '15 at 19:14

0 Answers0