-6

I created a login page, but when the code want to verify the hashed password with the entered password, it showed me the error message.

<?php 
session_start();
$pdo = new PDO(xxxx);
if(isset($_GET['login'])) {
 $username = $_POST['username'];
 $password = $_POST['password'];
 
 $statement = $pdo->prepare('SELECT * FROM users WHERE username = :username');
 $result = $statement->execute(array('username' => $username));
 $user = $statement->fetch();
 //verify password
 if ($user !== false && password_verify($password, $user['passwort'])) {
  $_SESSION['userid'] = $user['id'];
  die('Login succesfull');
 } else {
  $errorMessage = "Login error";
 }
 
}

if(isset($errorMessage)) {
 echo $errorMessage;
}
?>

Now I edited the code with the help of Drew's manual, but it doesn't work either.

<?php 
session_start();
$pdo = new PDO(xxxxx);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
if(isset($_GET['login'])) {
 $username = $_POST['username'];
 $passwort = $_POST['password'];
 
$query = $pdo->prepare("SELECT * FROM users WHERE username=:username");
        $query->bindParam(':username', $username);
        $query->execute();

        unset($_SESSION['username']);

        if(($row = $query->fetch()) && (password_verify($passwort,$row['passwort']))){
            $_SESSION['username'] = $row['username'];
            //header("Location: ../../myaccount/myaccount.php");
            echo "hurray, you authenticated.<br/>";
        }
        else {
            //header("Location:../../login/login.php ");
            echo "invalid login<br/>";
        }
}
?>
Community
  • 1
  • 1
Tim
  • 1
  • 1
  • Make sure you have the expected values for `$password` and `$user['passwort']`, also check to see you don't do any string manipulation (ie escaping) to the password in your registration code. – JimL Jun 18 '16 at 20:27
  • Is the password column really called *passwort*? (with a t) – Shira Jun 18 '16 at 20:28
  • yes, its because I'm german. In my table header iis written "passwort". – Tim Jun 18 '16 at 20:35
  • What fails `$user` or `password_verify($password, $user['passwort'])`? – chris85 Jun 18 '16 at 20:37
  • 1
    I have it [here](http://stackoverflow.com/a/32556010) all in one shot, easy to recreate. Note the fake registration chunk to jam the hash in the db for the test. PDO. – Drew Jun 18 '16 at 20:41
  • password_verify($password, $user['passwort']) – Tim Jun 18 '16 at 20:41
  • No, Drew's manual as you call it showed how you put the hash in the db to begin with. Then later retrieved it. And then verified. So you are not showing my manual :p – Drew Jun 18 '16 at 21:52
  • Okay can you tell me what I do wrong? – Tim Jun 19 '16 at 19:10

1 Answers1

0

If you hashed the password and saved in the database after user's registration, then you should also undo that hash in order to validate the user on login. You compare $password = $_POST['password'] with it's equivalent from the database after undoing the hash.

Darwin von Corax
  • 5,201
  • 3
  • 17
  • 28
Tigpezeghe Rodrige
  • 25
  • 7
  • 1
    You can't `undo` a `hash`. That's why you hash passwords. – chris85 Jun 18 '16 at 20:43
  • but when I echo $password, it shows me the entered password. And when I echo $user['passwort'] it shows me the hashed password. – Tim Jun 18 '16 at 20:46
  • Just accept the duplicate target I threw out at the Top of your question and do that. And read the manual. It is not rocket science. – Drew Jun 18 '16 at 20:48
  • If you hash what you retrieve from your database, you should get the original password string the user used during registration. – Tigpezeghe Rodrige Jun 18 '16 at 21:09
  • and why it dont works? – Tim Jun 18 '16 at 21:13
  • 1
    @TigpezegheRodrige a hash is a one-way function. You don't *get* the original password back. You verify. Read the manual about it. There is no, ever, *getting* of the original password back. – Drew Jun 18 '16 at 21:50