0

I wrote simple login script using PHP and mySQLi. Problem is that password_verify() function returns empty variable. I have double checked everything, but I don't see it. Where is the problem ? 

session_start();

if (isset($_POST["submit"])) {

    include_once("dbh.inc.php");

    // Get data from POST request
    $uid = mysqli_real_escape_string($conn, $_POST["uid"]);
    $passwd = mysqli_real_escape_string($conn, $_POST["passwd"]);

    // Check if fields are empty
    if (empty($uid) || empty($passwd)) {
        echo "One or more of inputs was left blank";
        exit();
    } else { 
        $result = mysqli_query($conn, "SELECT * FROM users WHERE uid='$uid' OR email='$uid';");
        if (mysqli_num_rows($result) < 1) {

            // Forward to login page with GET failed=notFound
            header("Location: ../login.php?failed=notFound");
            exit();
        } else {
            if ($row = mysqli_fetch_assoc($result)) {
                $pwdCheck = password_verify($passwd, $row["pwd"]);
                if (!$pwdCheck) {
                    header("Location: ../login.php?failed=pwd");
                    exit();
                } elseif ($pwdCheck) {

                    // Login here
                    $_SESSION["id"] = $row["id"];

                    // Forward to login page with GET failed=0
                    header("Location: ../login.php?failed=0");
                    exit();
                }
            }
        }
    }
} else {
    header("Location: ../login.php");
    exit();
}
Community
  • 1
  • 1
Samuel Stanek
  • 43
  • 1
  • 9
  • 1
    `$passwd = mysqli_real_escape_string($conn, $_POST["passwd"]);` could be a problem.... don't manipulate the user's password in ny way if you're using pssword_verify, you only need to escape values that you're injecting into an SQL query (and even then you should use bind vars rathe rthan escaping) – Mark Baker Sep 11 '17 at 15:43
  • That doesn't work. – Samuel Stanek Sep 11 '17 at 15:54
  • So do some basic debugging.... check the password hash returned from the database query.... is it a long enough string? `var_dump()` the value returned from the `password_verify()` call? Is it a boolean true/false? (It will not be returning an empty var) But just saying "That doesn't work" is not a good way of describing a problem! – Mark Baker Sep 11 '17 at 15:57
  • I have checked password return from SQL, I have written out result of password_verify(), but I didn't check hash length. I set max length of varchar to 50 - there was problem. Now it works. – Samuel Stanek Sep 11 '17 at 16:13

1 Answers1

2

1) be sure you are fetching the right details

2) be sure you are hashing the password correctly using (password_hash($passwd, PASSWORD_DEFAULT)) while inserting to the database

3) be also sure that the password column has a satisfied length which is able to accept the whole hashed password length

4) and also avoid using mysql_escape_string($_post['passwd']) some servers doesn't accept it either try using htmlspecialchars_decode(trim($_post['passwd']));

Adeojo Emmanuel IMM
  • 2,104
  • 1
  • 19
  • 28
  • 1
    ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Sep 11 '17 at 16:58