-1

Okay, so I'm trying to make a register/login code for my personal website.
I had no troubles making the registration form but I'm having some difficulties with the login.
Here's a part of my code: 

        $stmt = $pdo->prepare("SELECT password FROM members where username = ? ");
    $stmt->bindValue(1, $username);
    $stmt->execute();

Now to my understanding i need to fetch the first row from my table convert it to a string and then using password_verify to compare that string to whatever the users inputs in the form i created. The problem i have is that it fetches an array and can't really use password_verify to compare a string to an array.
Am I doing something wrong? how should I do this?
tl; dr How do I actually select a hashed password from DB, convert it to a string and then compare that string with the password my user will input.
Thanks.

A.lakkantha
  • 121
  • 1
  • 1
  • 12
steve88
  • 5
  • 3
  • 1
    the answers are all in the manuals for this; have you not consulted them? edit: this being a question that needs a response of "yes" or "no". Did you notice the question mark? – Funk Forty Niner Jul 19 '17 at 17:03
  • I am sorry if this has been asked before but i searched and didnt really find my answer, also been looking up php manual for almost two hours. Could you point me in the right direction? – steve88 Jul 19 '17 at 17:09
  • 1
    [`password_verify()` The manual... Read it!](http://php.net/manual/en/function.password-verify.php) – RiggsFolly Jul 19 '17 at 17:10
  • consult the duplicate it was closed with and make sure the password column is min. 60 length. The manual says that 255 is a good bet. – Funk Forty Niner Jul 19 '17 at 17:11
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/5.4/authentication) built-in. – tadman Jul 19 '17 at 17:13

1 Answers1

1

This library works on PHP 5.5+: use password_hash 

$sql = "SELECT * FROM members WHERE username = ?";
$stmt = $pdo->prepare($sql);
$result = $stmt->execute([$_POST['username']]);
$users = $result->fetchAll();
if (isset($users[0]) {
  if (password_verify($_POST['password'], $users[0]->password) {
    // valid login
  } else {
    // invalid password
  }
} else {
  // invalid username
}
Muhammad Usman
  • 1,403
  • 13
  • 24