PHP password verify

Question

I cannot verify a password using password_verify. I used BCRYPT for password hashing. Help me find mistake in this code and how do I bind variables in the below select statement:

<?php
    if (isset($_POST['submit'])) {
        // echo "ok";
        $con = connect();
        $email = $_POST['email_id'];
        $pass_word = $_POST['pass_word'];
        if ($con) {
            $query = mysqli_query($con,"select * from login where email_id='".$email."'");
            $rows = mysqli_num_rows($query);
            if ($query) {
                $row = mysqli_fetch_assoc($query);
                if ($row) {
                    $hash = $row['password'];
                    if (password_verify($pass_word,$hash) {
                        echo '<strong>Successful' ;
                    } else {
                        echo "Invalid Password";
                    }
                }
            }
        } else {
            die("Connection Error");
        }
    }
?>

Please close this with the typo reason (my CV aged away). Answering typo questions in the comments and then CVing typo would be what I would do (as opposed to writing up an answer post). You don't get rep, but it's better for the community. — starball, Nov 04 '22 at 08:58

Afsar · Accepted Answer · 2016-06-29T05:11:55.263

2

missing parenthesis:

change here

if(password_verify($pass_word,$hash)

to

if(password_verify($pass_word,$hash))

Extended as request:

"select * from login where email_id='".$email."'";

becomes

"select * from login where email_id= ?";

which is passed to the $mysqli::prepare:

$stmt = $con->prepare("SELECT * FROM login WHERE email_id= ?");
$stmt->bind_param( "s", $email); // "ss' is a format string, each "s" means string
$stmt->execute();
$stmt->bind_result($email);// then fetch and close the statement

edited Jun 29 '16 at 05:11

answered Jun 29 '16 at 04:53

Afsar

3,104
2
25
35

Actually it was due to copying mistake.Then I realized that I did not hashed all password .So it was not working.Thanks anyway. how do i bind variables in the select statement – shubhamj Jun 29 '16 at 04:57
`"select * from login where email_id=$email"` this will work as the query is in double quote and you can use interpolation – Afsar Jun 29 '16 at 05:00
Read this , http://stackoverflow.com/questions/16790501/php-variable-interpolation-vs-concatenation will help you – Afsar Jun 29 '16 at 05:00
no i mean how do i use bind_param() ,prepare() in this case – shubhamj Jun 29 '16 at 05:03

score 2 · Answer 2 · answered Jun 29 '16 at 05:10

need a closed parenthes here in

if(password_verify($pass_word,$hash)

also your query is exposed to sql injection try to prepare it and bind the parameter with

$query=$conn->prepare($con,"select * from login where email_id=?");
$query->bind_param('s',$email); //change 's' with 'i' if you are expecting an integer 
$query->execute()//to execute the query

Passionate Coder · Answer 3 · 2016-06-29T05:14:45.887

2

Use this for bind param

$stmt = $con->prepare("select * from login where email_id=?");
$stmt->bind_param("s", $email);
$stmt->execute();

edited Jun 29 '16 at 05:14

answered Jun 29 '16 at 05:12

Passionate Coder

7,154
2
19
44

PHP password verify

3 Answers3