Unable to verify using the password_verify function

Question

I am having some problems with verifying password when users are logging in to my application - this is a work in progress and I am fully aware that the security isn't complete and is open to attack but it isn't published I am testing at the moment.

I have hashed the password using: password_hash($password, PASSWORD_DEFAULT);

I am now looking to verify this but my script seems to fail and I know where but am not sure what I need to change in order for the verification to happen as I have changed from procedural to OOP.

$email = mysqli_real_escape_string($con, $_POST['email']);
$password = mysqli_real_escape_string($con, $_POST['password']);


$query = "SELECT * FROM users WHERE (email = '". $email ."') AND password = '". $password ."'" ;
$result = $con->query($query);

if ($result->num_rows === 1) {
    $row = $result->fetch_array(MYSQLI_ASSOC);
    if (password_verify($password, $row['password'])) {

            $_SESSION['email'] = $email;
            $_SESSION['id'] = $id;
                $row = mysqli_fetch_assoc($result);
            $_SESSION['email'] = $row['email'];
            $_SESSION['id'] = $row['id'];

            header('Location: ../dashboard/index');

            }else{
                header('Location: ../index.php?message=Email address or password is incorrect');
            }

}

I know that the script is failing inside of the if statement where the verification happens as it serves me a blank page on the login script file (above). I simply echoed out 'hi' to test and it is the session scrip that seems to be the issue here.

You shouldn't escape the password like that (`mysqli_real_escape_string`). — PeeHaa, Oct 19 '16 at 10:48
Also you cannot query based on the password because the password is hashed with a unique salt. You should just query based on username and compare the hash in that record to the user supplied password. — PeeHaa, Oct 19 '16 at 10:49
@PeeHaa I did remove that initially to see if it was that, but again I am more concerned about the way its working over the security right now as stated. — PhpDude, Oct 19 '16 at 10:49
@PeeHaa so could you offer me an olive branch as to what the issue is here...? — PhpDude, Oct 19 '16 at 10:50
@PeeHaa according to this you can... https://www.sitepoint.com/hashing-passwords-php-5-5-password-hashing-api/ — PhpDude, Oct 19 '16 at 10:51
Or this... http://stackoverflow.com/questions/26536293/php-password-hash-password-verifyhttp://stackoverflow.com/questions/26536293/php-password-hash-password-verify — PhpDude, Oct 19 '16 at 10:52
if you get 0+ results then you verify password with simply update query doesn't require call a function — ImBhavin95, Oct 19 '16 at 10:56
@BhavinSasapra I am a little confused as to what you mean sorry? — PhpDude, Oct 19 '16 at 10:58

score 1 · Accepted Answer · answered Oct 19 '16 at 10:53

1

Change these two lines and it should work.

$password = mysqli_real_escape_string($con, $_POST['password']);
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE (email = '". $email ."') AND password = '". $password ."'" ;
$query = "SELECT * FROM users WHERE (email = '". $email ."')" ;

You will not be able to select the password from the one submitted via the post as the stored one is hashed.

You should only have a single entry in your table per email, however you could check that the number of rows returned is equal to one if you wanted.

answered Oct 19 '16 at 10:53

Blinkydamo

1,582
9
20

Hi thanks for the suggestion, now when I I hit submit it just returns back to the login page I was on – PhpDude Oct 19 '16 at 10:57
have a look at the var_dump( $result ); and see if it contains the hashed password. – Blinkydamo Oct 19 '16 at 11:01
It appears not no, see here: object(mysqli_result)#2 (5) { ["current_field"]=> int(0) ["field_count"]=> int(5) ["lengths"]=> NULL ["num_rows"]=> int(1) ["type"]=> int(0) } – PhpDude Oct 19 '16 at 11:02
Sorry `var_dump( $row );` – Blinkydamo Oct 19 '16 at 11:09
Yes it returns the hashed password: I placed it after `$row = $result->fetch_array(MYSQLI_ASSOC);` – PhpDude Oct 19 '16 at 11:12
Thats why I believe it is the session handling in the IF statement thats causing my issues here. – PhpDude Oct 19 '16 at 11:14
So if it is getting the hashed password from the database is it passing the `password_verify()` if you placed `var_dump( "Die" );die;` inside the if does it die? – Blinkydamo Oct 19 '16 at 11:17
It does what I expected it to do and gives me `string(3) "Die"` – PhpDude Oct 19 '16 at 11:18
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/126112/discussion-between-dan-and-blinkydamo). – PhpDude Oct 19 '16 at 11:18

Unable to verify using the password_verify function

1 Answers1