3

After successfully verifying username exists in the database, I need to verify whether the password matches as well. Therefore, I need to retrieve the hashed password from the database, right? Or do I have other choices?

I'm using PHP 5.5 API bcrypt for hashing. My code would give me a 500 internal server error when I get the password from database. How do I do this correctly?

Here's my php code:

// If found username, check password, else respond invalid username
if($countRows!==0){
    // Get hash from database
        // Prepare statement
        $stmt = $conn->prepare('SELECT password FROM users WHERE username = ?');

        // Bind
        $stmt->bind_param('s', $ps_username);

        // Set Parameters
        $ps_username  = $username;

        // Execute
        $hash = $stmt->execute();

        // Check password
        if (!password_verify($password, $hash)) {
            if($error != ""){
                $error .= '<br>';
            }
            $error .= 'The user or password you entered do not match, please try again.';
        }
        else {
          echo 'OK';
            // Session start
            // Redirect user to profile/homepage
        }
}

And can someone recommend something that I can learn SQL commands? I can't find a good place for that.

J13t0u
  • 811
  • 1
  • 8
  • 19

1 Answers1

1

execute() does not return any column data. It returns a boolean (true/false). This is where your code block first fails:

    $hash = $stmt->execute();

You can view examples on how to fetch data from the result set here: http://php.net/manual/en/mysqli-stmt.fetch.php

An example being:

$stmt->execute();
$stmt->bind_result($hash);
$stmt->fetch();

In response to:

And can someone recommend something that I can learn SQL commands?

This is pretty much off topic for Stackoverflow but the PHP manual for mysqli can show you how to use the mysqli API fairly well with plenty of examples. If you want to learn the Structured Query Language itself, then there are plenty of external resources for that, including MySQL's documentation.

Devon Bessemer
  • 34,461
  • 9
  • 69
  • 95
  • Ok thank you. This means my prepared statement is correctly written. That's good to hear because the tutorial I watched didn't really teach me how the commands work, so I just based off the assumption that these commands can be mixed together. – J13t0u Feb 19 '16 at 15:12