0
$query = "SELECT * FROM users WHERE username = '$username'";
    $query_run = mysqli_query($con, $query);

    if(mysqli_num_rows($query_run) < 1)
    {
        header("Location: ../index.php?login=username");
        exit(); 
    }
    else
    {
        if($row = mysqli_fetch_assoc($query_run))
        {
            //deshashing password
            $hashedPwdCheck = password_verify($password, $row['password']);
            if($hashedPwdCheck == false)
            {
                header("Location: ../index.php?login=false");
                exit(); 
            }
            elseif($hashedPwdCheck == true)
            {
                //login the user here
                $_SESSION ['u_name'] = $row['username'];
                $_SESSION ['u_email'] = $row['email'];
                $_SESSION ['u_password'] = $row['password'];
                $_SESSION ['u_id'] = $row['userid'];

                header("Location: ../index.php?login=success");
                exit();

above is the login code.

Below is the register code that stores the password and hashes it.

                    else
                    {
                        //hashing password
                        $hashedPwd = password_hash($password, PASSWORD_DEFAULT);
                        //insert the user into the database
                        $query = "INSERT INTO users (username, email, password) VALUES ('$username', '$email', '$hashedPwd');";
                        mysqli_query($con, $query);

                        header("Location: ../register.php?register=success");
                        exit();
                    }

Please help, I'm a little confused as to why this isn't working.

Regards, Ross

  • what this function do password_verify paste content of this function... another observation this has sql injection – sumeet kumar Oct 06 '17 at 19:25
  • 1
    Is the columns width where you're storing the passwords more than 60 characters long? – Jay Blanchard Oct 06 '17 at 19:25
  • Where does the $password variable come from.also show your database schema – Rotimi Oct 06 '17 at 19:26
  • 2
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Oct 06 '17 at 19:26
  • 1
    ***Do not store the password in a session variable!*** – Jay Blanchard Oct 06 '17 at 19:27
  • What possible reason do you have to store the users password anywhere except the hashed version in the database? – GrumpyCrouton Oct 06 '17 at 19:27
  • It should just be `if(password_verify($password, $row['password'])) {` – GrumpyCrouton Oct 06 '17 at 19:27
  • He can store it in a variable if he wants @GrumpyCrouton, it just isn't necessary. – Jay Blanchard Oct 06 '17 at 19:28
  • Show us the table details where the password is stored. – Jay Blanchard Oct 06 '17 at 19:29
  • There is no sql_injection as I have a function on my variables that turns the text inputted in to plain text. mysqli_real_escape_string($con, $_POST['registerEmail']); The fix was that the column I was storing the password in was only 50 character long. I upped that to 150 and it's working. Thank you all for your help :) –  Oct 06 '17 at 19:29
  • ¯\\_(ツ)_/¯ @GrumpyCrouton – Jay Blanchard Oct 06 '17 at 19:32
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/master/authentication) built-in. – tadman Oct 06 '17 at 20:00
  • Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…”)` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. – tadman Oct 06 '17 at 20:00

1 Answers1

4

The column in which you're storing the hashed password is not long enough. It should be more than 60 characters and I suggest either VARCH(255) or TEXT to account for any future changes to the password_hash() function which may create longer hashes.

WARNING

You should not store the password in the session array as it exposes the potential for getting the password hijacked.

Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi.

"There is no sql_injection as I have a function on my variables that turns the text inputted in to plain text. mysqli_real_escape_string($con, $_POST['registerEmail']); "

Even escaping the string is not safe!

Community
  • 1
  • 1
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119