password_verify() always return false

Question

I am a newbie and I was trying to create a login system using PHP and Mysql. After finishing registration form and adding few users, I was trying to create a login form. but it always returns false saying my your Your username or password is incorrect!. Below is my code. It will be great if someone could help me. Advance sorry if my doubt is tooo basic :/

<?php
    session_start();
    include '.\includes\functions\db.php';
?>

<?php
    $username = strtolower(mysqli_real_escape_string($db, $_POST['username']));
    $password = strtolower(mysqli_real_escape_string($db, $_POST['password']));

    $sql        = "SELECT * FROM users WHERE username = '$username' ";
    $result     = mysqli_query($db, $sql);
    $row        = mysqli_fetch_assoc($result);
    $hash_pwd   = $row['password'];
    echo $hash_pwd;
    echo $password;
    $hash       = password_verify($password, $hash_pwd);

    if ($hash ==0) {
        header("Location: ./index.php?error=check");
        exit();
    }else {
        $sql = "SELECT * FROM user WHERE username = '$username' AND password = '$hash_pwd'";
        $result = mysqli_query($db, $sql);
        if (mysqli_num_rows($result) == 0) {
            echo "Your username or password is incorrect!";
        }else {
            $_SESSION['id'] = $row['id'];
            $_SESSION['username'] = $row['username'];
        }
        //header("Location: ./index.php");
    }
?>

and my registration page is as follows

<?php
//This Page is for registration of users
?>

<?php
// this php tag is for all includes
include '.\includes\functions\db.php';

?>

<?php
//print isset($_POST["submit"]);
//Getting all details inserted in form
if(isset($_POST["register"])){
    $username   = $_POST['username'];
    $firstname  = $_POST['firstname'];
    $lastname   = $_POST['lastname'];
    $email      = $_POST['email'];
    $password   = $_POST['password'];
    $date       = date('Y-m-d H:i:s');

    //Encrypting and Securing recieved data
    $username               = strtolower(mysqli_real_escape_string($db, $username));
    $firstname              = strtolower(mysqli_real_escape_string($db, $firstname));
    $lastname               = strtolower(mysqli_real_escape_string($db, $lastname));
    $email                  = strtolower(mysqli_real_escape_string($db, $email));
    $password               = strtolower(mysqli_real_escape_string($db, $password));
    $encryptedpassword      = password_hash($password, PASSWORD_DEFAULT);

    //To check duplication of email ids
    $sql        = "SELECT email FROM users WHERE email='$email'";
    $result     = mysqli_query($db, $sql);
    $row        = mysqli_num_rows($result);//$row will return count of rows if any duplicate email ids are found

    //To check duplication of usernames
    $sql2       = "SELECT username FROM users WHERE username='$username'";
    $result2    = mysqli_query($db, $sql2);
    $row2        = mysqli_num_rows($result2);//$row2 will return count of rows if any duplicate usernames are found

    //conditions to check what all duplicates are found
    if($row > 0 && $row2 >0){
        echo "Sorry...This email id and username is already taken!!!";
    } elseif ($row > 0 ) {
        echo "Sorry...This email id is already taken!";
    } elseif ($row2 > 0) {
        echo "Sorry...This Username is already taken!";
    }else {
        $query  = mysqli_query($db, "INSERT INTO users (username, firstname, lastname, password, email, regdate) VALUES
        ('$username', '$firstname', '$lastname', '$encryptedpassword', '$email', '$date')");
        if($query){
            echo "Thank You! you are now registered.";
        }
    }
}

?>

*sigh* `strtolower(mysqli_real_escape_string($db, $_POST['password']));` is a bad start. Please show your password_hash code too where you store it in the DB. — Jonnix, Nov 16 '16 at 16:44
Thanks for mentiong my mistake. i have added my register.php file also for referance. — Rishad, Nov 16 '16 at 16:48
Why do you need the second query? You already know the hash came from the record you are querying.. — chris85, Nov 16 '16 at 16:49
MySQL is (typically) case-insensitive, so your `strtolower` calls are unnecessary. Additionally, if my password were `PassWord` but I could log in with `PaSsWoRd`, you would be getting a very serious talking-to. — Niet the Dark Absol, Nov 16 '16 at 16:50
Yeah, @chris85 is right. You've done a SELECT to get the user, so you know that's fine, and you've verified the password is correct using password_verify. That query is what is breaking your flow. — Jonnix, Nov 16 '16 at 16:52
i dont get you. if u meant echo $hash_pwd;, i added that just to check errors with my limited knowledge. my bad :/ — Rishad, Nov 16 '16 at 16:52
`password_verify` returns true is the password is correct or false if not, it doesn't return another hash for you to then compare. You're trying to force an old ideology onto the more recent API. In your case, `password_verify` seems to be returning true, so the password was correct. — Jonnix, Nov 16 '16 at 16:54
What should i do to correct this code? if someone could help me :) — Rishad, Nov 16 '16 at 16:55
@Rishad Is this your own code? It sounds like you don't really understand what it's doing? — Jonnix, Nov 16 '16 at 16:57
Why do you have two different tables "users" and "user"? I believe you should have just one table "users". Check your SQL select queries. — gradosevic, Nov 16 '16 at 16:57
Check the size of the column you're saving the hash in the table. It might be too small, leading to the generated hash (during registration) being truncated. Just a possibility. — Amir, Nov 16 '16 at 16:58
@JonStirling: i tried to create this code with some help from online articles and youtube videos. — Rishad, Nov 16 '16 at 16:59
@gradosevic: thanks for mentioning that. now my error message is Notice: Undefined index: id in R:\Softwares\xampp\htdocs\rishad\eazyacc\login.php on line 31 — Rishad, Nov 16 '16 at 17:03
You should check login.php:31 and find something like "$anything['id']". wrap it out with if(isset($anything['id'])){//your code} — gradosevic, Nov 16 '16 at 17:16
Is your column named `id`, `userid`, or something else? Add the scheme. — chris85, Nov 16 '16 at 17:26
Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Nov 16 '16 at 17:36
[Proper Password Hashing with PHP](http://jayblanchard.net/proper_password_hashing_with_PHP.html) — Jay Blanchard, Nov 16 '16 at 17:38
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) — Jay Blanchard, Nov 16 '16 at 17:38
Okay, so you know what to change now and the question is all set? — chris85, Nov 16 '16 at 17:44

Rishad · Accepted Answer · 2018-11-12T05:25:02.790

0

The error in my code is because of password = '$hash_pwd' condition in my where clause. When i retried row with given username and later verified password using php, it works as intended. I guess password hashed in php using password_hash() cannot be retrived and verified like encryption. Anyway thanks for all of yours responses

edited Nov 12 '18 at 05:25

answered Nov 11 '18 at 23:09

Rishad

381
2
11

password_verify() always return false

1 Answers1