0

I was trying to build an login app suuccessfully i have stored the data from signup form using password_hash($password , PASSWORD_BCRYPT); but i have trouble in verifying the password using password_verify() function in reg.php please help me out to get out of this problem

reg.php

<?php

 $postdata = file_get_contents("php://input");
    $request = json_decode($postdata);
    $email = $request->email;
    $password = $request->password;
    $conn = new mysqli("localhost", "root", "root", "mydb");
    if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

$result=$conn->query("SELECT password FROM login WHERE email='$email'");
$rowcount=mysqli_num_rows($result);
if($rowcount > 0)
{
    $row = mysqli_fetch_row($result);//returning the required data correctly 
    $bool=password_verify($password , $row[0]);//not working
    if($bool){
        echo "s";
    }

}
else{
    echo "n";
}

?>

signup.php

<?php 
$postdata = file_get_contents("php://input");
$received_data= json_decode($postdata);
$firstname = $received_data->firstname;
$lastname = $received_data->lastname;
$email = $received_data->email;
$password = $received_data->password;
$conn = new mysqli("localhost", "root", "root", "mydb");
    if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}
$temp = password_hash($password , PASSWORD_BCRYPT);
$sql = "INSERT INTO login(id,firstname,lastname,email,password)VALUES(NULL,'$firstname','$lastname','$email','$temp')";
if(mysqli_query($conn , $sql))
{
    echo "success";
}
else{
    echo "failed";
}
?>
Touheed Khan
  • 2,149
  • 16
  • 26
Nagaraj Vemula
  • 118
  • 1
  • 10
  • Your code is vulnerable to SQL injection, but [it's not hard to fix](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). What do you mean by "not working"? – Blender May 11 '17 at 04:54
  • Output `$password` and `$row[0]` to check that they contain what you expect. Btw, does your insert really work? You're setting `id` to `null`. Is your `id`-field really nullable? – M. Eriksson May 11 '17 at 04:57
  • ya my insert query is working because i just created the database table with id as auto increment – Nagaraj Vemula May 11 '17 at 05:00
  • i have the problem only with ` $bool=password_verify($password , $row[0]);' it is not working – Nagaraj Vemula May 11 '17 at 05:02
  • So, output `$password` and `$row[0]` before your `password_verify()`-call and check that they contain what you expect. And check your database table if the record actually exists, as well. – M. Eriksson May 11 '17 at 05:05
  • ya i have the record in my database table – Nagaraj Vemula May 11 '17 at 05:14
  • 1
    Then it's just a matter of _output $password and $row[0] before your password_verify()-call and check that they contain what you expect_ (as I've asked you to do three times now). – M. Eriksson May 11 '17 at 05:16
  • Thank you so much for helping me out. I have found that error is on sending the data to php file . One more thing I came to knew that my code is volunerable to sql injunction , how can I make my code more stronger – Nagaraj Vemula May 12 '17 at 11:07

0 Answers0