Why doesn't my password validation work?

Question

I'm making a login screen for my blog but when it has to validate the hash it fails. I have googled a lot watched here and asked a few class mates but it still fails. When you submit you get the alert

Wrong password or username!

How can I fix this?

this is my login script

<?php
include_once('resources/db.php');

$sql = "SELECT username, password FROM users WHERE username = :username";
$query = $db->prepare($sql);
$query->execute(array(":username" => $_POST['username']));
$user = $query->fetch(PDO::FETCH_ASSOC);


if ( isset( $_POST['submit'] )) {
    $username = $_POST['username'];
    $password = $_POST['password'];
    $hash_password = $user['password'];

    if ( password_verify($password, $hash_password)) {
        if ($query->rowCount() == 1){
            echo "chrisschotman is ingelogd";
        } else {
            echo "<script type=\"text/javascript\">alert('Wrong username!')</script>";
        }
    } else {
        echo "<script type=\"text/javascript\">alert('Wrong password or username!')</script>";
    }
}
?>

this is my login form

<form action="" method="post">
    <input type="text" placeholder="username" name="username"maxlength="24"><br>
    <input type="password" placeholder="password" name="password" minlength="8"
           maxlength="16"><br>
    <input type="submit" value="login" name="submit">
</form>

this is my registration script

<?php
include_once('resources/db.php');

// var_dump($_POST);
$query = $db->prepare('insert into users (`username`, `password`, `privileges`) values(?, ?, ?)');



$query =$db->prepare('select * from users');

$query->execute();

?>

//here is the registration form

<?php

if (isset($_POST)) {
    include_once('resources/db.php');

    $sql = "INSERT INTO users (`username`, `password`) VALUES (:username, :password)";
    $query = $db->prepare($sql);
    $query->execute(array(
        ':username' => $_POST['username'],
        ':password' => password_hash($_POST['password'], PASSWORD_DEFAULT)
    ));

    if ($query) {

        echo "Registered succefully";
    } else {

        echo "Occured and error";
    }
}

?>

database structure

database rows

Just to verify, your `$password` variable is a non-hashed password and `$saved_password` a hashed password? — Lixus, Apr 22 '17 at 15:19
Hashed usually longer than 16 charters. I realize that it's on the HTML but are you sure that it's also not enforced on the field in the database? — Ilia Ross, Apr 22 '17 at 15:20
get sure you have unique `username` field in the users table. Make debug output for the `$user`. All the PDO routine should be in body of the `if (isset($_POST'submit']))`. — Deadooshka, Apr 22 '17 at 16:37
@C.Schotman Your question is well structured, and it is clear what you are asking, you did not deserve the downvote. Good luck with your project. — Florian Moser, Apr 22 '17 at 21:38

getl0st · Accepted Answer · 2017-04-22T17:04:26.937

0

Change the database row to varchar(255)

$sql = "SELECT username, password FROM users WHERE username = :username";
$query = $db->prepare($sql);
$query->execute(array(":username" => $_POST['username']));
$user = $query->fetch(PDO::FETCH_ASSOC);

And try this registration:

<?php

$db = new PDO('mysql:host=localhost;dbname=' . $db_name . ',' . $db_user . ',' . $db_pass);

if (isset($_POST)) {
    include_once('resources/db.php');

    $sql = "INSERT INTO users (`username`, `password`) VALUES (:username, :password)";
    $query = $db->prepare($sql);
    $query->execute(array(
            ':username' => $_POST['username'],
            ':password' => password_hash($_POST['password'], PASSWORD_DEFAULT)
    ));

    if ($query) {

        echo "Registered succefully";
    } else {

        echo "Occured and error";
    }
}

edited Apr 22 '17 at 17:04

answered Apr 22 '17 at 15:21

getl0st

342
1
10

This isn't an answer. If you have a question for the OP, you should comment on their question. – heylookltsme Apr 22 '17 at 15:22
I can't comment :l – getl0st Apr 22 '17 at 15:24
you're right I missed that but than is the question how do I get the hashed_password from the server – C.Schotman Apr 22 '17 at 15:24
You'r query should be like this $sql = "SELECT username, password FROM users WHERE username = :username"; – getl0st Apr 22 '17 at 15:26
Answer a few questions and you CAN comment. Until then, don't – mplungjan Apr 22 '17 at 15:26
And the execute $query->execute(array(":username" => $_POST['username')); – getl0st Apr 22 '17 at 15:26
@getl0st update your answer with the code instead of commenting on your own non-answer – mplungjan Apr 22 '17 at 15:27
Thanks captain obvious, just trying to help the guy - mplungjan – getl0st Apr 22 '17 at 15:27
Half of your code doesn't work, you just copied everything from the web without even knowing how it does work. Edit your answer and put everything you have. – getl0st Apr 22 '17 at 16:12
I did edit the code and this is all, but I'm not so good in php – C.Schotman Apr 22 '17 at 16:16
How does your database look like and could you provide a link? – getl0st Apr 22 '17 at 16:20
db_host = localhost db_name = cschotman db_tables = users, posts user_collumns = username, password, user_id – C.Schotman Apr 22 '17 at 16:23
did that and stil the same alert – C.Schotman Apr 22 '17 at 16:41
Do you have phpmyadmin, and if so , can you show me the table? – getl0st Apr 22 '17 at 16:43
image is inside the question – C.Schotman Apr 22 '17 at 16:56
Change your password row and username to varchar(255) – getl0st Apr 22 '17 at 16:58
I had to do that indeed on 255 but the problem is not gone – C.Schotman Apr 22 '17 at 17:01
Show me a picture of the rows – getl0st Apr 22 '17 at 17:05
it is added to the question – C.Schotman Apr 22 '17 at 17:10
I looked in the database and the hash was shorter then it should. so thanks – C.Schotman Apr 22 '17 at 18:25

Why doesn't my password validation work?

1 Answers1