Password hashing not working in php mysql

Question

I am trying to use password hashing using phpmysql. The issue is password_verify does not seem to work for me so far. Say, my password during registration is '123456789'. I stored it in database using

    password_hash('123456789', PASSWORD_BCRYPT, array('cost' => 12));

And then when I enter '123456789' in the login field, it does nothing, fails.

Here is my code:

<?php
        session_start();
        include('db.php');        
?>

<!DOCTYPE html>

<head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta name="viewport" content="width=device-width,initial-scale=1" />
    <link rel="stylesheet" type="text/css" href="style.css"/>

</head>

<body>

<p/>

<?php

    if(isset($_POST['login']) && $_POST['login'] == 'Login') {

        $loginEmail = $_POST['loginEmail'];
        $loginPassword = $_POST['loginPassword'];

        $sqlLogin = $db->prepare("SELECT * FROM registered_users WHERE email = ?");

        $sqlLogin->bind_param("s",$loginEmail);
        $sqlLogin->execute();
        $sqlLogin = $sqlLogin->get_result();
        $numrowsLogin = $sqlLogin->num_rows;

        if($numrowsLogin == 1) {
            $rowLogin = $sqlLogin->fetch_assoc(); 
            $stored_password = $rowLogin['password'];

        }
        if(password_verify($loginPassword, $stored_password)){


           header('Location: homepage.php'); 
        }else{
            echo 'invalid login';
        }      

    }         
?>


    <form action = "<?php echo $_SERVER['PHP_SELF'];?>" method="POST">
        <table style="width:500px">                        
            <tr>
                <td width="30%"><input style="width: 200px; height: 25px; border-radius: 5px;" type="text" name="loginEmail" placeholder = "Email" required/><br/></td>
            </tr>                    
            <tr>
                <td width="30%"><input style="width: 200px; height: 25px; border-radius: 5px;" type="password"  name="loginPassword" placeholder = "Password" required/><br/></td>
            </tr>
        </table>

        <input style="font-weight: bold; width: 70px; height: 25px; border-radius: 5px;" type="submit" name="login" value="Login"/>
    </form>

</body>

</html>

done any basic debugging, like checking if your query succeeds and returns a stored hash? and note that you're vulnerable to XSS attacks by using `$_SERVER['PHP_SELF']` in your form's `action`. — Marc B, Jul 06 '16 at 14:12
You need to add `exit;` after any `header('location: ...');`-call since we want to stop outputting stuff to the browser at this point. — M. Eriksson, Jul 06 '16 at 14:14
Marc : used error_reporting(E_ALL); ini_set('display_errors','1'); Nothing yet — Bishwaroop Chakraborty, Jul 06 '16 at 14:18
Does this row `if($numrowsLogin == 1)` ever validate as `true`? — M. Eriksson, Jul 06 '16 at 14:20
Just realized that you have HTML before this block. You can't have a `header('location: ...')` after any output to the browser. Headers must be sent before any other output to the browser. You need to move your login-check to the top of the page, before the `` tag and any other output. — M. Eriksson, Jul 06 '16 at 14:24
Plus, if the password column is anything less than 60, MySQL will fail silently. — Funk Forty Niner, Jul 06 '16 at 14:26
@Fred Li : less than 60, like what? you the password length? — Bishwaroop Chakraborty, Jul 06 '16 at 14:27
example from http://php.net/manual/en/function.password-hash.php `$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a` is 60 chars. What's yours and the length of the password column? less than 60? if so, that's the problem. Too short and your code failed silently because of it and you need to start over with a new hash after altering the column's length. @BishwaroopChakraborty — Funk Forty Niner, Jul 06 '16 at 14:28
@BishwaroopChakraborty reload my above comment, I edited it a few times. I will delete this comment shortly. Ping me back if that's what the problem was. — Funk Forty Niner, Jul 06 '16 at 14:34
@Fred Li : thanks, that worked for me. My password column length in the database was 50. updated it and works now, thankyou once again!! — Bishwaroop Chakraborty, Jul 06 '16 at 14:37
@BishwaroopChakraborty I'll post an answer then and you can mark it as solved. you're welcome, glad I was of help. — Funk Forty Niner, Jul 06 '16 at 14:37
Please read the comments in the answer by @fred. You will never again have this issue. — Ryan Vincent, Jul 06 '16 at 15:28

score 3 · Answer 1 · edited May 23 '17 at 11:52

3

@Fred Li : thanks, that worked for me. My password column length in the database was 50. updated it and works now, thankyou once again!! – Bishwaroop Chakraborty"

As discussed in commments:

Example from http://php.net/manual/en/function.password-hash.php

$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a is 60 chars.

Your password column's length is less than 60 and that's the problem.

It's too short and your code failed silently because of it and you need to start over with a new hash after altering the column's length.

The manual says that 255 is a good bet.

Notes:

Pay attention to other comments left in regards to XSS injection.

Here are a few good articles:

and to add exit; after header. Otherwise, your code may want to continue to execute.

edited May 23 '17 at 11:52

Community

1
1

answered Jul 06 '16 at 14:39

Funk Forty Niner

74,450
15
68
141

1

imo, just use a `varchar` field of 255. The cost is one byte extra and this fault would never have happened. imo, never use exact length character / varchar fields in a database. – Ryan Vincent Jul 06 '16 at 15:21
1

@RyanVincent Exactly; I wrote a short note about the manual saying it's "a good bet" ;-) Thanks for your comment btw. – Funk Forty Niner Jul 06 '16 at 15:24
Sorry, @fred, I meant it for the OP ;-/ finger trouble – Ryan Vincent Jul 06 '16 at 15:26
@RyanVincent No worries :-) – Funk Forty Niner Jul 06 '16 at 15:27

score 0 · Answer 2 · edited Oct 13 '20 at 13:59

0

In the event that new comers are still getting errors with this after verifying sufficient data storage (for example:varchar255)

Be sure to use the unhashed string in the verify-password function.

verify_password($unhashed-string, $hashed-string)

I lost a few hours sleep passing a hashed string into first parameter of the function.

edited Oct 13 '20 at 13:59

Karan

1,146
1
10
24

answered Oct 13 '20 at 11:04

Roberto Cannella

1
1
2

Viral Ghodadara · Answer 3 · 2020-11-06T02:48:55.243

I am using blowfish algorithm for hashing password. It has run successfully for me, so you can try this.

<?php

$pass = "test678";

$hash = password_hash($pass, PASSWORD_BCRYPT);  //password_hash() function hash given password

$matchpass = "test678";

$match = password_verify($matchpass, $hash); // password_verify() function hash given boolean value if password can match so it return 1 otherwise 0

if ($match == true) {
    echo "Password can match successfully......";
} else {
    echo "Password cannot match please try again.";
}

?>

OUTPUT:

Password can match successfully......

Password hashing not working in php mysql

3 Answers3

Linked

Related