-1

I cannot get this here to work for some odd reason. I have a php function that takes the values from the inputs and test attempts to login the user. The problem seems to be happening when the password_verify method is called. I did research, but with success. Code below

function login($_email, $_pass){
    global $con;
    $query = "SELECT * FROM users WHERE user_email = '$_email'";
    $results = mysqli_query($con, $query) or die("Connection could not be established");
    if (mysqli_num_rows($results) == 1){
        $row = mysqli_fetch_assoc($results);
        $hased_pass = $row['user_pass'];
        if (password_verify($_pass, $hased_pass)){
            $_SESSION['name'] = $row['user_name'];
            $_SESSION['email'] = $row['user_email'];
            return true;    
        }
    }
    //soft_logout();
    return false;
}

My php version is 5.5.20

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
meddy
  • 385
  • 6
  • 21
  • make sure if you have a right value returned for `$row['user_pass']` by doing `var_dump($row['user_pass']);` first. – samayo Sep 13 '15 at 16:36
  • 3
    So what is your actual problem _I cannot get this here to work for some odd reason._ Is not a good description of your problem. What is it doing? What is it not doing? Are there any error messages in the `php error log` remember we are not **clairvoyant** and we are **not looking over your shoulder** – RiggsFolly Sep 13 '15 at 16:37
  • @RiggsFolly Actually that is the quintessential model question for SO. – samayo Sep 13 '15 at 16:40
  • @samayo Rubbish!! We dont know whats being passed in as parameters! We dont know what is happening? We dont even know for sure that the `user_pass` column from the database was actually `password_hash()`ed in the first place. This is anything BUT a _model question_ – RiggsFolly Sep 13 '15 at 16:44
  • ok what is being passed into the the function is a value of input type email and the value of input type password. The user_pass is a column in a table that has the password stored and its hashed inside the db. what seems to be happening is that the the password value coming into the function is different from the the hashed password from the DB. I was trying to keep it simple as this method has worked for me before with np. – meddy Sep 13 '15 at 16:56
  • Then the stored hash isn't correct. Nothing that could be figured out from the shown excerpt alone. – mario Sep 13 '15 at 17:02

2 Answers2

0

Reading your code, I see two possibilities for trouble. One is that no row in your database matches the use furnished username variable. The other is that the hashed password stored in your database was created in some way other than password_hash. http://php.net/manual/en/function.password-hash.php

That could happen for a number of reasons. One subtle reason: sometimes hashed passwords contain special characters which cause PHP grief. Read the user-contributed note to this page. http://php.net/manual/en/function.password-verify.php

To trouble shoot this, you might try some unit tests that has and immediately verify passwords.

By the way, what will happen if your user presents the user name as follows?

  Badman';DELETE FROM USERS;/*neener neener neener ur pwned*/

Your code is vulnerable.

O. Jones
  • 103,626
  • 17
  • 118
  • 172
0

Ok guys, You were all right more of the code was needed. The problem was when I added an extra parameter to my prepare statement, I left out a comma and that would be hard to detect with the code posted above. Its working fine now. Thanks all that helped out and I wish I could give all credit to those who participated.

meddy
  • 385
  • 6
  • 21